Social networks make it easy for 3rd parties to identify you
By jacqui@arstechnica.com (Jacqui Cheng) on Twitter
By now, it's no secret that social networks (or really any websites) are sharing some of your usage data with advertising partners in order to provide more targeted ads. Most of the time, this data gets anonymized when it gets passed on so that there's no personally identifiable information attached to your browsing history. Or does it? I turns out that some social networks—including the majors that we all know and love—have an interesting definition of "anonymous," essentially making it possible for lots of personally identifiable information to be exposed in connection to browsing habits.
Facebook, MySpace, LinkedIn, Digg, and LiveJournal (among others) are all guilty of "leaking" personally identifiable information (PII) to partners, according to a recent study by Worcester Polytechnic Institute researcher Craig E. Wills and AT&T Labs' Balachander Krishnamurthy. A "leakage," by the study's definition, is the opportunity for a third party to link the information they get from the social networks (either in the form of logs or browser cookies) to someone's PII—your name, phone number, and dog's favorite treat aren't passed on directly, but can easily be pieced together.
Netflix Prize 2: (Privacy) Apocalypse Now?
By nate@arstechnica.com (Nate Anderson) on privacy
Netflix yesterday passed out a $1 million check to the stats geeks of "BellKor's Pragmatic Chaos," the team which won the Netflix Prize by improving on the company's algorithms for picking the movies that Netflix subscribers might like to watch next. Chief Product Officer Neil Hunt then announced a sequel, the Netflix Prize 2, but one law professor is already calling the new contest a "multi-million dollar privacy blunder."
The Netflix data set released for use with the first prize was supposedly "anonymized," but security researchers found a way to link the anonymous movie recommendations with data from other sites in order to identify individual Netflix users. If your information appeared in the first data set, someone knowing a bit about your movie preferences could figure out the complete set of movies that you rated on Netflix—an information leak that would certainly not please all users.
Microsoft posts quick "Fix it" links for SMB2 flaw in Vista
By emil.protalinski@arstechnica.com (Emil Protalinski) on Windows Vista
Microsoft has issued a quick temporary fix, described in KB Article 975497, for a recently disclosed flaw for 32-bit and 64-bit flavors of Windows Vista, Windows Server 2008, and Windows 7 Release Candidate (but not the RTM). The flaw, which is in Microsoft's implementation of Server Message Block 2 (SMB2, an extension of the conventional server message block protocol), can be exploited to remotely crash and restart computers running either of the operating systems. Microsoft is telling IT pros to utilize its automated "Fix It" tool for now to deal with the unpatched vulnerability; here are the "fix this problem" links: Disable SMB2 and Enable SMB2. An important thing Microsoft notes for these "Fix it" links is that although the wizard may be in English only, the automatic fix still works for other language versions of Windows.
Facebook Beacon shines for last time as part of settlement
By jacqui@arstechnica.com (Jacqui Cheng) on settlement
As quickly as it swooped into Facebook users' lives and revealed their secret purchasing habits to the world, Beacon has now been shut down as part of a lawsuit settlement. Facebook revealed late Friday that its controversial "advertising" feature would be shuttered, saying that the company had "learned a great deal from the experience." Facebook also plans to donate $9.5 million to an organization that fights for online privacy, though the settlement proposal still awaits approval by a judge.
Facebook's Director of Policy Communications Barry Schnitt said in a statement that the whole Beacon ordeal "underscored how critical it is to provide extensive user control over how information is shared." He said the company also learned how to communicate changes to users (you know, instead of just dumping things like Beacon on them without a peep), and that the introduction of Facebook Connect allows for much greater user control over how their Web antics get shared back to friends on Facebook.
Microsoft Security Essentials release "in the coming weeks"
By emil.protalinski@arstechnica.com (Emil Protalinski) on Microsoft Security Essentials
Late last night, Redmond fired off e-mails to testers of the Microsoft Security Essentials (MSE) beta program on Microsoft Connect to tell them the final version of the product would be released to the public "in the coming weeks." That's right, it won't be long now before everyone can use the first release of Microsoft's free antivirus software on their Windows computers. In the e-mail, the software giant also made a point to ask testers to upgrade to the latest beta version, if they haven't already. The full body of the message is below:
CGISecurity - Website and Application Security News
All things related to website, database, SDL, and application security since 2000.
SVN Flaw Reveals Source Code to 3,300 Popular Websites
By Robert A. on IndustryNews
"A Russian security group has posted a detailed blog post about how they managed to extract the source code to over 3,300 websites. The group found that some of the largest and best known domains on the web, such as apache.org and php.net, amongst others, are vulnerable to an elementary information...
New open source web application layer firewall 'ESAPI WAF' released
By Robert A. on Web Application Firewalls
"The open-source ESAPI WAF is a departure from commercial, network-based firewalls, as well as ModSecurity's free WAF, says Arshan Dabirsiaghi, developer of the ESAPI WAF and director of research for Aspect Security. Dabirsiaghi will roll out the WAF at the OWASP Conference in Washington, D.C., in November. "WAFs today are deployed...
Strict Transport Security (STS) draft specification is public
By Robert A. on Research
Fellow coworker Jeff Hodges has announced the formal specification draft for Strict Transport Security. STS is a new proposed protocol for allowing a website to instruct returning visitors to never visit the site on http, and to only visit the site over https and is entirely opt in. This can prevent...
CNET News - Security
Survey: Half of businesses don't secure personal data
By Lance Whitney
The personal information you give to businesses may not be as secure as you hope, according to a new survey.
Around 55 percent of all businesses acknowledge that they secure credit card information but not Social Security numbers, bank account details, and other personal data, according to a survey of ...
Twitter phishing scam spreads via direct messages
By Elinor Mills
A new phishing scam is spreading through Twitter via direct messages, according to several reports.
Itamar Kestenbaum writes on his JewNews.net blog that he received a direct message on his Twitter account from someone he didn't know that said "rofl this you on here?" followed by a link ...
Originally posted at InSecurity Complex
Microsoft to release free security software soon
By Ina Fried
Microsoft plans to release the final version of its free antivirus software soon, according to a note sent to testers late Sunday.
"The final version of Microsoft Security Essentials will be released to the public in the coming weeks," Microsoft said in the note.
(Credit: CNET News)
Microsoft first announced its plans for the product, ...
Originally posted at Beyond Binary
Reducing threats for Net-linked security cameras, ATMs
By Elinor Mills
ICSA Labs, which sets standards for commercial security products, plans to announce on Monday a new program for helping corporations protect themselves from attacks and snooping via Internet-connected devices such as printers, copiers, ATMs, and security cameras.
Under the ICSA Labs Network Attached Peripheral Security Certification and Assessment program, experts ...
Originally posted at InSecurity Complex
CounterMeasures
Rik Ferguson blogs about security issues.
Razer downloads distributing malware
By Rik Ferguson on web
UPDATE: I have been speaking to the folks from Razer, as soon as they were aware of the issue, they took down the support website and are working really hard to rectify things. It’s really great to see a company that have the safety of their customers so uppermost in their minds. __________________________________________________________________________________________ The support website at gaming [...]
Your life in their hands?
By Rik Ferguson on security
Once again this blog represents my personal views and not necessarily those of Trend Micro According to a report in the Daily Express newspaper, the British intelligence services have hired “50 computer-savvy hackers – some of them still teenagers” to work in the Cyber Operations Command that was recently announced as a part of the UK [...]
The Word Is Not Enough – Online banking fraud
By Rik Ferguson on password
A US judge has allowed a couple to bring a case against their bank, that could have important ramifications across the US. Marsha and Michael Shames-Yeakel state that they were the victims of fraud perpetrated though their online bank account to the tune of $26,500. As extensively reported by legal blogger David Johnson over on the [...]
Darknet - The Darkside
Ethical Hacking, Penetration Testing & Computer Security
Twitter DM Phishing Scam
By Darknet on twitter spam
As Twitter gains momentum there are more and more attacks on it, it’s users and the most recent is a phishing scam via DM (Direct Message). It was uncovered recently that it was being used as a Botnet Control Channel, shortly before that it was subjected to a DoS attack. This isn’t the first time DMs have [...]
Websecurify – Web Security Testing Framework
By Darknet on XSS
Websecurify is a web and web2.0 security initiative specializing in researching security issues and building the next generation of tools to defeat and protect web technologies. Key Features JavaScript – Websecurify Security Testing Framework is the first tool of its kind to be written entirely in JavaScript using only standard technologies adopted by the leading browsers. Multiple Environments [...]
DarkReading - All Stories
DarkReading
Up To 9 Percent Of Machines In An Enterprise Are Bot-Infected
Most are members of tiny, unknown botnets built for targeting victim organizations
Couple's Lawsuit Against Bank Over Breach To Move Forward
Case raises questions about banks' liability in breach of customers' accounts online
Trend Micro Gets Top Spot In New Anti-Malware Test
Tests prove all anti-malware products are not the same, researchers say
New Free Web Application Firewall 'Lives' In The App
Open-source project aims to put WAF control into application developers' hands
Microsoft Ups The Ante In Fight Against Rogue Antivirus
Prevalence of rogue antivirus attacks intensifies
DarkReading - Security News
DarkReading
GoldenSource for Derivatives Wins Financial News 'Best New Vendor Solution' 2009 Award
Clayton Consultants to Discuss Kidnapping Practices, Prevention and Survival Tactics at ASIS 2009
Hosted Solutions Named as 'Top Ten' Best Managed Hosting Service by HostReview
NICE Introduces NiceVision eXpress, Delivering Enterprise-class Cost-effective Video Surveillance for Small and Mid-sized Deployments
G4S Wackenhut Launches Hi-Tech Security Monitoring and Data Center
eWeek Security Watch
Search Engine Manipulation Grows Up
In Virus and Spyware
Attackers are more frequently using compromised legitimate Web sites in their efforts to lure search engine users into finding their malware threats.
Social Networking Hack Hides Attack
In Web 2.0
An online service that promises to help people hack others' Facebook accounts is just a mere scam in its own right, researchers report.
Rogue Twitter Accounts Blasting Out Links for Fake Antivirus
In Virus and Spyware
Researchers at F-Secure say there has been an increase in attackers generating rogue Twitter accounts in order to blast out URLs leading to malicious sites.
New Fake AV Threats on the Prowl
In Virus and Spyware
Phony AV tools continue to flood the Web in many forms, as recently noted by researchers with Sophos.
Click Fraud Experts Report New Botnet
In Virus and Spyware
Click fraud experts are reporting on a new botnet attack being used to drive traffic to sites using a sizeable zombie network.
Federal Computer Week: Security News
USCIS redesigns Web site to improve usability, access
Obama administration sees redesigned site as a model for others.
Outsourcing some services could be risky
The Immigration and Customs Enforcement agency plans to outsource disaster recovery planning, raising security questions.
DHS intell office to realign IT capabilities
The Homeland Security Department's top intelligence official told a House subcommittee how IT would help share security information.
TIC initiative gathers speed
Agencies have until Sept. 25 to file plans with the Office of Management and Budget on how they plan to comply with the Trusted Internet Connection initiative.
Authentication said key to cybersecurity
Bruce McConnell, a top cybersecurity official, said authentication of users and devices is key to cybersecurity.
OPM cuts security-clearance processing time
The investigation period has been decreased from a year to just under 40 days, according to testimony given by OPM Director John Berry before a Senate Homeland Security and Governmental Affairs subcommittee. But some still say more can be done.
TSA needs privacy IT tools, IG says
The TSA has made progress in implementing privacy protections, but still needs to beef up its monitoring and enforcement with automated tools, DHS Inspector General Richard Skinner says.
Info Security News (isn) Mailing List
Carries news items (generally from mainstream sources) that relate to security.
Hacker breaks into research study data
Posted by InfoSec News on Sep 25
http://www.charlotteobserver.com/local/story/967722.html
By Eric Ferreri
newsobserver.com
Sept. 25, 2009
CHAPEL HILL - A hacker has infiltrated a computer server housing the personal data of 236,000 women enrolled in a UNC Chapel Hill research study. Among the information exposed: the...
Up To 9 Percent Of Machines In An Enterprise Are Bot-Infected
Posted by InfoSec News on Sep 25
http://www.darkreading.com/insiderthreat/security/client/showArticle.jhtml?articleID=220200118
By Kelly Jackson Higgins
DarkReading
Sept 24, 2009
Bot infections are on the rise in the enterprise, and most come from botnets you've never heard of nor ever will.
In a three-month study of...
Demon ebill blunder exposes thousands of passwords
Posted by InfoSec News on Sep 25
http://www.pcpro.co.uk/news/security/351814/demon-ebill-blunder-exposes-thousands-of-passwords
By Barry Collins
PC Pro
23 Sep 2009
Demon Internet has sent out a spreadsheet containing the personal details of thousands of customers with one of its new ebills.
The spreadsheet - which has...
Secunia Weekly Summary - Issue: 2009-39
Posted by InfoSec News on Sep 25
The Secunia Weekly Advisory Summary 2009-09-17 - 2009-09-24 This week: 66 advisories
========================================================================
...
Secret teen hacker army ridiculed
Posted by InfoSec News on Sep 25
http://www.theregister.co.uk/2009/09/24/hacker_cyberdefence_hire_nonsense/
By John Leyden
The Register
24th September 2009
The UK government's reported decision to employ ex-hackers to work at a newly-established Cyber Security Operations Centre have met with derision from both a...
Contractor pleads guilty to SCADA tampering
Posted by InfoSec News on Sep 24
http://www.networkworld.com/news/2009/092309-contractor-pleads-guilty-to-scada.html
By Robert McMillan
IDG News Service
09/23/2009
A former IT consultant for an oil and gas exploration company has pleaded guilty to tampering with the company's computer systems after he was turned...
Black Hat DC Call for Papers is now OPEN
Posted by InfoSec News on Sep 24
Forwarded from: Jeff Moss <jmoss (at) blackhat.com>
It will be held February 2-3, 2010 at the Hyatt Regency Crystal City in D.C. https://www.blackhat.com/html/bh-dc-10/bh-dc-10-cfp.html the CFP closes December 1, 2009.
This year features no anime con or people in superhero outfits.
...
Madoff investors security may have been breached
Posted by InfoSec News on Sep 24
http://www.newsday.com/business/madoff-investors-security-may-have-been-breached-1.1466325
By ANTHONY M. DESTEFANO
Newsday
September 22, 2009
More than 2,200 Bernard Madoff investors are learning that some of their personal and financial information has potentially been breached after...
Are Med-Student Tweets Breaching Patient Privacy?
Posted by InfoSec News on Sep 24
http://www.time.com/time/health/article/0,8599,1925430,00.html
By Alice Park
Time.com
Sept. 23, 2009
Personal profiles on Facebook and other social-networking sites are a trove of inappropriate and embarrassing photographs and discomfiting breaches of confidentiality. You might expect...
DOD repurposed IT equipment without scrubbing sensitive info, audit reveals
Posted by InfoSec News on Sep 24
http://fcw.com/articles/2009/09/23/inspector-general-audit.aspx
By Amber Corrin
FCW.com
Sept 23, 2009
Some Defense Department organizations haven't scrubbed data from information technology equipment before disposing of the hardware, resulting in the possible release of information that...
John Arquilla: Go on the Cyberoffensive
Posted by InfoSec News on Sep 24
http://www.wired.com/techbiz/people/magazine/17-10/ff_smartlist_arquilla
By Noah Shachtman
Wired Magazine 17.10
09.21.09
The Pentagon already employs legions of elite hackers trained in cyberwarfare. But they mostly play defense, and that's what Naval Postgraduate School professor...
Ants vs. worms
Posted by InfoSec News on Sep 24
http://www.wfu.edu/wowf/2009/20090921.ants.html
By Eric Frazier
Office of Communications and External Relations September 21, 2009
In the never-ending battle to protect computer networks from intruders, security experts are deploying a new defense modeled after one of nature's hardiest...
Expert challenges UFO hackers 700k bill
Posted by InfoSec News on Sep 23
http://www.computerweekly.com/Articles/2009/09/22/237807/expert-challenges-ufo-hackers-700k-bill.htm
By Mark Ballard
ComputerWeekly.com
22 Sep 2009
The US inflated the $700,000 bill for damages it slapped on UFO hacker Gary McKinnon by stuffing it with costs incurred for patching the...
Authentication said key to cybersecurity
Posted by InfoSec News on Sep 23
http://fcw.com/articles/2009/09/22/web-mcconnell-cybersecurity.aspx
By Ben Bain
FCW.com
Sept 22, 2009
The ability to authenticate computer users, devices and processes is a major part of the Homeland Security Department's emerging vision for improved computer security, a top...
DoD Preparing To Lift USB Ban
Posted by InfoSec News on Sep 23
http://www.darkreading.com/insiderthreat/security/storage/showArticle.jhtml?articleID=220100601
By Kelly Jackson Higgins
DarkReading
Sep 22, 2009
The ban on USB drives that began late last year in the U.S. Defense Department will be lifted, but with a caveat: Only DoD-approved or...
7 Ways Security Pros DONT Practice What They Preach
Posted by InfoSec News on Sep 23
http://www.csoonline.com/article/502914/7_Ways_Security_Pros_DON_T_Practice_What_They_Preach
By Bill Brenner
Senior Editor
CSO
September 22, 2009
IT security pros are often driven to drink -- literally -- over the daily battles of their job: bosses unwilling to accept the rationale...
Hilton executive in corporate espionage case exits
Posted by InfoSec News on Sep 23
http://business.timesonline.co.uk/tol/business/industry_sectors/leisure/article6844703.ece
By Dominic Walsh
Times Online
September 22, 2009
Hilton Hotels Corporation, the American hotel behemoth, has replaced Ross Klein as global head of luxury and lifestyle brands after a lawsuit...
How is government coping with cyber crime?
Posted by InfoSec News on Sep 22
http://www.futuregov.net/articles/2009/sep/22/how-government-coping-cyber-crime/
By Robin Hicks
FutureGov
22 September 2009
What are governments doing to ensure that critical online operations remain operational when under attack from cyber criminals? FutureGov asked senior civil...
ToorCon 11 Preliminary Lineup Announced!
Posted by InfoSec News on Sep 22
Forwarded from: h1kari <h1kari (at) toorcon.org>
TOORCON 11 PRELIMINARY LINEUP ANNOUNCED! We're proud to announce our preliminary lineup for ToorCon this year and especially our keynote, Vernor Vinge. Vernor is a prolific science fiction novel writer and is best known for his Hugo...
Cyber threat calls for flexibility in command model, general says
Posted by InfoSec News on Sep 22
http://gcn.com/articles/2009/09/21/lord-emphasizes-joint-force-approach-to-battle.aspx
By Amber Corrin
GCN.com
Sept 21, 2009
Technology's dark side has created a new battlefield in cyberspace, and that brings new considerations to the way military commands should be structured, according...
Lawsuit Tied To Bank Gmail Error Cant Be Secret, Judge Says
Posted by InfoSec News on Sep 22
http://www.informationweek.com/news/internet/google/showArticle.jhtml?articleID=220100410
By Thomas Claburn
InformationWeek
September 21, 2009
A bank's effort to prevent the disclosure of information about a data breach arising from an errant Gmail message has been rejected by a federal...
Gaming mouse-maker Razer hit with infected firmware
Posted by InfoSec News on Sep 22
http://www.computerworld.com/s/article/9138360/Gaming_mouse_maker_Razer_hit_with_infected_firmware?taxonomyId=17
By Robert McMillan
September 21, 2009
IDG News Service
Gamers trying to update their mouse or keyboard drivers from accessory maker Razer USA's Web site recently may have...
Linux Advisory Watch - September 18th 2009
Posted by InfoSec News on Sep 22
+----------------------------------------------------------------------+ | LinuxSecurity.com Weekly Newsletter | | September 18th, 2009 Volume 10, Number 38 | | | |...
Hacker attacks website over Kadeer film
Posted by InfoSec News on Sep 22
http://www.chinadaily.com.cn/china/2009-09/22/content_8719448.htm
By Cui Jia
China Daily
2009-09-22
A well-known Chinese hacker has struck again, hitting a film festival showing a documentary about Uygur separatist Rebiya Kadeer.
Around 3 pm Monday, Taiwan's Kaohsiung Film Festival...
InformationWeek Security News
InformationWeek
Coverity Reports Reduction In Code Defects
By Charles Babcock
The company started scanning open source code for reliability and integrity three years ago and has a Department of Homeland Security contract.
Report: Department Of Defense Putting Data At Risk
By J. Nicholas Hoover
Data deletion policies aren't being properly followed across the board, risking exposure of personal or sensitive data on IT equipment recycled to schools and other organizations.
Department Of Defense Putting Data At Risk
By J. Nicholas Hoover
Data deletion policies aren't being properly followed across the board, risking exposure of personal or sensitive data, report says.
Department Of Defense Putting Data At Risk
By J. Nicholas Hoover
Data deletion policies aren't being properly followed across the board, risking exposure of personal or sensitive data, report says.
Microsoft Posts Fix For SMB Vulnerability
By Thomas Claburn
A fix is available for the vulnerability in Microsoft's Sever Message Block software.
Microsoft Posts Fix For SMB Vulnerability
By Thomas Claburn
A fix is available for the vulnerability in Microsoft's Sever Message Block software.
Google Urges Cooperation Against Bad Ads, Malware
By Thomas Claburn
A malicious ad surfaced in Google search results just as Google called for a more concerted industry effort against such scams.
Google Urges Cooperation Against Bad Ads, Malware
By Thomas Claburn
A malicious ad surfaced in Google search results just as Google called for a more concerted industry effort against such scams.
Gmail Breach Lawsuit Can't Be Secret, Judge Says
By Thomas Claburn
A lawsuit seeking to identify a Gmail user who accidentally received confidential bank information must proceed in public.
Lawsuit Tied To Bank Gmail Error Can't Be Secret, Judge Says
By Thomas Claburn
A lawsuit seeking to identify a Gmail user who accidentally received confidential bank information must proceed in public.
Lawsuit Tied To Bank Gmail Error Can't Be Secret, Judge Says
By Thomas Claburn
A lawsuit seeking to identify a Gmail user who accidentally received confidential bank information must proceed in public.
Apple Examines iPhone Battery Woes
By Marin Perez
Users are complaining that the iPhone OS 3.1 software decreases battery life, hinders logging in to Exchange accounts, and causes random shutdowns.
Apple Examines iPhone Battery Woes
By Marin Perez
Users are complaining that the iPhone OS 3.1 software decreases battery life, hinders logging in to Exchange accounts, and causes random shutdowns.
Microsoft Files Five Lawsuits To Halt Malicious Advertising
By Thomas Claburn
In an effort to protect Windows users, Microsoft is suing unidentified scammers for distributing malware through online ads.
InSecurity Complex
Keeping tabs on flaws, fixes, and the people behind them.
Twitter phishing scam spreads via direct messages
By Elinor Mills
A new phishing scam is spreading through Twitter via direct messages, according to several reports.
Itamar Kestenbaum writes on his JewNews.net blog that he received a direct message on his Twitter account from someone he didn't know that said "rofl this you on here?" followed by a link ...
AT&T-iPhone calling woes on redial
By Elinor Mills
When I sat down to write an article about the unreliable cell reception my iPhone gets on Monday, I knew I wasn't alone in my frustration. Friends and acquaintances often joke that the iPhone is a cool computer but a lousy phone.
But ...
AT&T takes the phone out of iPhone
By Elinor Mills
Three weeks ago, I got a call on a friend's iPhone while in the middle of a desert; cell phone coverage had come to Burning Man. By contrast, several calls I made last night to my parents from my San Francisco apartment were ...
Reducing threats for Net-linked security cameras, ATMs
By Elinor Mills
ICSA Labs, which sets standards for commercial security products, plans to announce on Monday a new program for helping corporations protect themselves from attacks and snooping via Internet-connected devices such as printers, copiers, ATMs, and security cameras.
Under the ICSA Labs Network Attached Peripheral Security Certification and Assessment program, experts ...
McAfee Avert Labs
Cutting edge security research as it happens.......
Inside the Password-Stealing Business
By Dennis Elser and Micha Pekrul on Web and Internet Safety
Today Avert Labs has published a new research paper, “Inside the Password-Stealing Business: the Who and How of Identity Theft.” With so many financial transactions occurring online today, stealing passwords to banks and other accounts is an irresistible attraction for cybercriminals. Thieves around the world use Trojans and other malware to grab user credentials, which [...]
W32/Xpaj: Know Your Polymorphic Enemy
By Vitaly Zaytsev on Malware Research
Nowadays, most anti-virus products can deal with viruses relatively easily using a variety of technologies. Decent emulator-based scan engines can handle a majority of polymorphic and metamorphic viruses, including those that use the entry-point obscuring technique (EPO). But when it comes to viruses with delay load and random code blocks insertion such as W32/Zmist, (a.k.a. [...]
Online ‘Monopoly’ a Reminder That Spammers Don’t Play Fair
By Sam Masiello on Web and Internet Safety
In the latest social-engineering tactic targeting online games players, a new spam campaign attempts to lure users into downloading a Monopoly game–though it’s more like a game of Russian roulette. The email is a seemingly innocuous invite from a random user (your first clue that this is something to avoid!). The message uses a subject line [...]
Network World on Security
The latest security news, analysis, reviews and feature articles from NetworkWorld.com.
Mobile-Phone Banking: Convenient and Safe?
With the introduction of an iPhone app that lets you deposit a check by taking a picture of it, options for mobile banking are growing rapidly. And though you might think the boost in convenience comes at the expense of security, banking on your cell phone can actually be safer than using your PC if you take basic precautions.
Microsoft blasts Google over Chrome Frame plug-in
Microsoft today warned Internet Explorer users that they could double their security woes if they installed and used Chrome Frame, the plug-in that provides better JavaScript performance and adds support for HTML 5 to IE.
Senate kills bid to make White House czars accountable
An amendment that would have given Congress more oversight over the White House cybersecurity czar and at least 17 other czars appointed by President Obama was shut down in the U.S. Senate.
Spammers like Idaho best of all
No one is quite sure why, but Idaho now gets spammed a little more heavily than any other state in the U.S.
Construction firm sues after $588,000 online theft
A construction company in Maine is suing its bank after about $588,000 disappeared from its accounts, alleging the bank failed to spot suspicious account activity before it was too late.
DHS set to release privacy report today
The Department of Homeland Security plans to release its annual privacy report to Congress today.
Mandelson's net piracy scheme to cost Brits £25 a year
The government's propsal to tackle internet piracy by tracking illegal downloaders and cutting-off their web access, could cost Brits an extra £25 a year, says BT.
Social networking sites leaking personal information to third parties, study warns
Many major social networking sites are leaking information that allows third party advertising and tracking companies to associate the Web browsing habits of users with a specific person, researchers warn.
Drudge, other sites flooded with malicious ads
Criminals flooded several online ad networks with malicious advertisements over the weekend, causing popular Web sites such as the Drudge Report, Horoscope.com and Lyrics.com to inadvertently attack their readers, a security company said Wednesday.
Cybersecurity bill pushes university-business alliances
Legislators are trying to encourage cooperation among universities and businesses to develop technology needed to carry out a strategic government effort to fight cyber attacks. http://www.networkworld.com/community/node/44913
Cisco patches a dozen router bugs
Cisco Systems has released its twice-yearly set of security patches for its router firmware, fixing 12 security flaws in the products.
PCI survey finds some merchants don't use antivirus software
Consumers face a greater risk of losing control of their data when doing business with smaller retailers, as many haven't made investments to comply with the Payment Card Industry's Data Security Standard (PCI DSS), according to a new survey.
Your complete ID is worth £45 to villains
Web users are over-estimating how much their personal information is worth to cybercriminals, says Symantec.
Clampi virus spreading across UK and US PCs
Web users are being urged to be careful when surfing the web following the identification of a new virus known as Clampi.
Group seeks answers from DHS on delay of privacy report
A privacy rights group is pressing the U.S Department of Homeland Security to disclose when it plans to release its annual privacy report to Congress.
Credit-card security standards questioned, survey says
Most IT security professionals who must comply with the industry standards to protect credit card data think those standards have no impact at all on actual security, according to new study by Ponemon Institute.
Startups see dollar signs in sex
Technology can help mitigate the new dangers presented by online dating and the "hook-up" culture of today's youth, as well as the long-present threat of sexual misconduct by trusted authority figures, according to three companies presenting at the DEMO conference on Tuesday.
7 Ways Security Pros DON'T Practice What They Preach
IT security pros spend oodles of time trying to hammer best practices into the heads of fellow employees. But in an informal poll conducted by CSOonline, many admitted they don't always follow their own advice.
Bank sues Google for ID of Gmail user
A bank that inadvertently sent confidential account information on 1,325 of its customers to the wrong Gmail address is suing Google for the identity of the Gmail account holder.
Privacy advocates hail Facebook's plan to shutter Beacon
Privacy advocates are applauding Facebook's willingness to shut down its controversial Beacon service as a part of a broader settlement in a class-action lawsuit against the company.
Google News crashes this afternoon
Google News suffered an outage today, the latest in a series of mishaps for the news aggregation site and for Google's hosted applications.
Facebook and Nielsen Team to Track You
Advertising on Facebook hasn't been met with success. The most prominent example of its failure is the now-defunct Facebook Beacon program, which broadcast the actions of users on external sites. (Yes, I just bought a pizza. Yes, I just bought your Christmas present and now you know what it is.) Now Facebook has announced a multi-year strategic alliance with ad-tracking monster Nielsen to create BrandLift, an advertising effectiveness measurement tool that the partners hope will push the bar high for social networking ads.
Seagate ships self-encrypting drives for enterprises
Seagate said it is offering its self-encrypting drive feature with its entire line of enterprise-class hard disk drives and that it has partnered with Intel and LSI to integrate its encryption technology with the two companies' security management firmware.
Researchers overwhelming vendors with security flaws
Booming numbers of security researchers are uncovering so many flaws that vendors are finding it almost impossible to patch them all in a reasonable timeframe, the latest SANS report has found.
Scammers auto-generate Twitter accounts to spread scareware
Scammers are using machine-generated Twitter accounts to post messages about trendy topics, and tempt users into clicking on a link that leads to servers hosting fake Windows antivirus software, security researchers said.
Symform has an elegant cloud storage idea
A company called Symform has started up a fascinating cloud storage company that relies on spare disk space in business data centers.
Botnet PCs stay infected for years
A hardcore of PCs controlled by botnets stay that way for years, an analysis from security vendor Trend Micro has found.
Gaming mouse-maker Razer hit with infected firmware
Gamers trying to update their mouse or keyboard drivers from accessory maker Razer USA's Web site recently may have gotten more than they bargained for.
Malware Blocking Tests Put Trend Micro on Top
Trend Micro scored well above its competition in new, antivirus test results that gauged whether an antivirus product can block malware you're tricked into downloading.
AV tests find that reputation really does count
New reputation-based antivirus systems are doing a better job of blocking malicious software than did their predecessors.
Microsoft declares war on 'scareware'
A couple weeks back the digital version of the New York Times found itself hip deep in manure when it got tricked into serving up "scareware" ads to unsuspecting readers.
US company burned by China Web filter plans rival product
A U.S. company whose software code was allegedly stolen in China by a controversial, government-backed Internet filtering program will hit back by launching a rival product for a low price in China, the company said late Sunday.
Microsoft unveils tool for Windows flaw as attack code looms
With attack code that exploits a critical unpatched bug in Windows likely to go public soon, Microsoft is urging users to run an automated tool that disables the vulnerable component in SMB 2.
OpenID implementation works on mobile platforms
Swedish company Accumulate has implemented a version of the OpenID standard for mobile phones.
Suspect Pleads Guilty to Huge Data Thefts
Albert Gonzalez, who was described by federal authorities as the mastermind of the massive data thefts at TJX, Heartland and other retailers, pleaded guilty to charges of conspiracy, wire fraud and aggravated identity theft.
Microsoft to ship free security software soon
Microsoft has told beta testers of its free antivirus software, Microsoft Security Essentials, that it will release the final version to the public soon.
Surveilled to death
Gibbs ponders how much we're tracked and how much we give away and wonders what the long-term outcome will be; a society of closed lips and constrained behavior, a society economical with the truth, or will it just stay business a usual?
Last major PC makers ditch Chinese Web filter
Some of the few PC makers who offered a controversial Web filtering program mandated by China have reversed those plans, dealing the latest blow to China's efforts to deploy the software nationwide.
Netbooks: Are they ready for the enterprise?
Netbooks are winning over consumer hearts and credit cards. While some consumer products, like iPhones, have pushed their way into the enterprise, netbooks haven’t. Is it just a matter of time before netbooks become an enterprise staple or will they remain a consumer-only product?
The Register - Security
Biting the hand that feeds IT
(Former) IT consultant confesses to SCADA tampering
'Multiple user accounts'
A former IT consultant for a California oil and gas company has admitted he intentionally tampered with its computer systems after he was turned down for a permanent position there.…
Malware torrent delivered over Google, Yahoo! ad services
No cure for the malvertisement blues
Some of the web's bigger websites were flooded with a torrent of malicious banner ads after cyber crooks managed to sneak them onto syndication services operated by Google, Yahoo, and a third company, according to a security firm.…
Malware house offered bounty for infected Macs
Fake OS X codec scam exposed
A researcher has unearthed fresh evidence of cyber criminals' growing attraction to Apple's OS X platform with the discovery of a now-disbanded group that offered 43 cents for every infected Mac.…
Phishing worm spreads across Twitter
I am neither rolling on the floor nor laughing
A worm linked to a new phishing scam is spreading via messages on Twitter.…
New cyber-security research centre opens in Belfast
'Forget GCHQ, we're the daddies now'
Computer boffins at Queen's University in Belfast are chuffed as ninepence today to snip the ribbon on a new government- and industry-sponsored cybersecurity research centre.…
Secret teen hacker army ridiculed
Wayward minister making stuff up again?
The UK government's reported decision to employ ex-hackers to work at a newly-established Cyber Security Operations Centre have met with derision from both a high-profile former hacker and an acknowledged cybersecurity expert.…
Bank sues Google for identity of Gmail user
Um, we sent him 1,325 tax IDs
A US bank is suing Google for the identity of a Gmail user after a bank employee accidentally sent the user a file that included the names, addresses, tax IDs, and loan info for more than 1,300 of the bank's customers.…
Email-stealing worm slithers across LiveJournal
Son of Samy stopped
LiveJournal's security team has disabled some media features on the blogging site after a quick-spreading worm stole user email addresses and caused entries designated as private to be available to everyone.…
Facebook enables apps to peek at mail
I'm in ur inbox, mocking ur privacy settings
Updated Facebook plans to open up members' inboxes and notifications to developers have drawn fire from security experts as an unacceptable privacy risk.…
Firms still struggling with data security standard
PCI DSS dissed
Organisations are still struggling with data security, putting consumers at continued risk of identity theft as a result.…
Demon splurges details of 3,600 customers in billing email
Passwords too
Demon Internet sent thousands of business and government subscribers an email this morning telling them all about a new e-billing system, and tacked on details, including passwords, for 3,600 customers.…
Govt report card logs UK hacking conviction success rate
56% - Could do better
Sixty-one of the 108 people prosecuted under UK hacking laws between 2003 and 2007 were convicted.…
Chinese hackers target media in anniversary run-up
News organisations, NGOs hit by trojan attacks
Chinese workers in foreign media outlets within China are in the firing line of a new wave of malware-laden emails.…
Online ID theft, an employee IT security guide
How to avoid it, silly
Site offer Tired of telling the net numpties at work to smarten their act on email security? Is the company's message about the dangers of online id theft falling on deaf ears? We have the just the right material for you to distribute to your workforce.…
Twitter-based mafia game irritates world+dog
An offer you can refuse
An annoying Twitter-based Mafia game is getting under the skin of users of the micro-blogging service, many of who would sooner it slept with the fishes.…
Hardware biz issued trojan-laced drivers, says researcher
Razer burn
A maker of hardware for computer gamers has taken its support site offline following a report that it was surreptitiously distributing malware on its downloads section.…
Word handling bug shoots down StarOffice
Starstruck
Sun last week pushed out a set of updates designed to fix a flaw in its StarOffice and StarSuite office software packages.…
Facebook app flaws create Trojan download risk
Anti-social networking
Grey-hat hacker Unu has discovered cross-site scripting vulnerabilities involving Facebook applications, of a type that might be used to distribute Trojan horse malware or launch other hacking attacks.…
SANS Internet Storm Center, InfoCON: green
A couple more tools, (Thu, Sep 24th)
In my continuing quest to find and check out new and interesting tools, I've recently noticed two of ...(more)...
Infocon: green
A couple more tools
CISCO Security Advisories, (Wed, Sep 23rd)
CISCO has released a number of security advisories. The following table summarises the ...(more)...
Storing passwords, (Wed, Sep 23rd)
Ihave a problem, no a challenge, for you all. How do you store passwords that have to be ...(more)...
Addendum to SRI's Conficker C Analysis Published, (Wed, Sep 23rd)
SRI recently updated their Conficker C analysis with another addendum, this one covers Conficker C's ...(more)...
Insider Threat information at CERT, (Tue, Sep 22nd)
If you ever dealt with insider threats, you would understand the complexity and sensitivity of these ...(more)...
ESTA scam, (Tue, Sep 22nd)
For visitors under the Visa Waiver program going to US, there's a requirement to apply ESTAbef ...(more)...
Facebook Issues Earlier Today?, (Mon, Sep 21st)
Several readers wroteinto let us know of some reports in the media today concerning acce ...(more)...
Microsoft Releases A "Fix it" Workaround For SMBv2 Vulnerability, (Mon, Sep 21st)
As pointed out by several folks writing in to the ISCHandlers group, Microsoft has updated its ...(more)...
Insider Threat and Security Awareness, (Sun, Sep 20th)
Lets face it, some days are just more exciting than others. (We can always count on patch Tue ...(more)...
SANS NewsBites
All Stories From Vol: 11 - Issue: 74
FCC Chair Introduces Proposed Net Neutrality Rules (September 21, 2009)
In a speech at the Brookings Institution on Monday, September 21, Federal Communications Commission (FCC) Chairman Julius Genachowski proposed a set of rules that would prohibit Internet service providers from slowing down competitors' Internet traffic on their networks.......
Justice Dept. Review Says Einstein 2 Does Not Violate Users' Privacy (September 18, 2009)
A US Justice Department (DOJ) review of Einstein 2 surveillance program concluded that the program, which monitors federal workers' Internet traffic, does not violate their privacy rights or those of the people who communicate with them.......
Microsoft Issues Workaround for SMB Vulnerability (September 21, 2009)
Microsoft has issued a workaround to protect users from a critical vulnerability in Server Message Block (SMB) version 2.......
Bank Suing Google to Discover Identity of Accidental eMail Recipient (September 21, 2009)
A Wyoming bank is suing Google to discover the identity of a Gmail user to whom the bank accidentally sent confidential information.......
Facebook Will Shutter Beacon as Part of Lawsuit Settlement (September 19, 2009)
Facebook will close down its Beacon advertising system as part of a settlement of a class action lawsuit.......
Jail Time for Test Deposit Scammer (September 18, 2009)
Michael Largent, 22, of Plumas Lake, CA, was sentenced to 15 months in prison for an online brokerage scam that netted him US $50,000.......
Microsoft Files Five Suits Against Malvertisers (September 17 & 18, 2009)
Microsoft has filed five civil lawsuits against alleged malvertisers, entities that use maliciously crafted advertisements to spread malware.......
Malware Purveyors Monkey Around with PBS Show Site (September 18, 2009)
The PBS.......
Attackers Exploit Web Application Flaw to Hijack Yahoo Mail Accounts (September 18, 2009)
Attackers are exploiting a known vulnerability in Yahoo's network to launch brute force attacks against users' Yahoo mail accounts.......
Software Company Fined for Trading with the Enemy (September 17, 2009)
A Colorado software company has been fined US $14,500 for selling oil and gas exploration software to a company that intended to use it for exploration in Cuban waters.......
India Wants Internet Telephony Ban (September 17, 2009)
Indian security officials are calling for a ban on international Internet telephony until they have the capability to trace calls on such systems.......
Maine Heating Company Loses US $150,000 Through Social Engineering Attack (September 15, 2009)
Downeast Energy and Building Supply in Brunswick, Maine has notified 800 of its customers that some of their sensitive information was compromised in a security breach.......
SearchSecurity: Security Wire Daily News
The latest information security news on IT threats, vulnerabilities and market trends from the award-winning SearchSecurity.com.
PCI virtualization SIG closer to proposing changes to standard
By Robert Westervelt
A special interest group studying virtualization for the payment industry is preparing guidance on the use of virtualization and ways to maintain PCI DSS compliance.
First Data, RSA push tokenization for payment processing
By Robert Westervelt
The encryption-token service could compete against vendors offering format preserving encryption to secure payment transactions.
Security Squad: Privacy gone awry
By SearchSecurity Staff
SearchSecurity editors discuss Internet privacy issues, the Apache disclosure, VMworld and Apple security.
Security challenges with cloud computing services
By Marcia Savage
Panel discusses cloud computing security issues including encryption and user authentication.
Security - RSS Feeds
Security - RSS Feeds
Google Responds to Chrome Frame Security Concerns from Microsoft
Google responds to criticism by Microsoft about Google's Chrome Frame plug-in. Chrome Frame is designed to bring some of the technology of the Google Chrome browser to Microsoft Internet Explorer, and has been reported to speed up the browser. But Microsoft contends that the plug-in increases IE's attack surface.
- Google hit back Sept. 24 in response to Microsoft's claims that Google's Chrome Frame makes Internet Explorer less secure. Google Chrome Frame is an early-stage open-source plug-in that brings Google Chrome's open Web technologies, such as the HTML5 canvas tag and JavaScript engine, to Microsoft...
10 Ways to Protect Your Company from Social Media Hacker Attacks
News Analysis: Social networks can be scary places that cause many companies to debate whether to continue supporting social network access for employees at the office. But keeping a company safe from potential security issues isn't as hard as it might appear. Here are 10 ways to make social network access safer.
- A new phishing attack has hit Twitter, causing some users to unwittingly expose sensitive data to malicious hackers. It's causing some people to question how they use social networks. And it might be forcing many companies to second guess their support for such services. The threat of outbreaks c...
Exposing How Rogue Antivirus Sites Snag Victims
Behind the reports of rogue antivirus scams is a multimillion dollar business lining the pockets of cyber-thieves. The threats arent new, but they have been growing in prevalence, according to malware researchers. Seven of the top 25 malware or unwanted software families from the second half of 2008 had a connection to rogue software, according to Microsoft experts. Two in particular Win32/FakeXPA and Win32/FakeSecSen were detected by Microsoft on more than 1.5 million computers. The prevalence of the scams is driven by the profits. In a report in March, Finjan uncovered a rogueware affiliate network that hauled in an average of $10,800 a day. Such schemes are successful in part because attackers do a good job of mimicking the look of the Windows Security Center and other legitimate screens in Windows to give their phony scams an air of authenticity. Successfully fighting rogue antivirus schemes must involve teaching users about social engineering. With all this in mind, eWEEK is going behind the scenes of some of the successful rogue antivirus scams that have plagued the Internet.
- ...
Twitter Hit by New Phishing Attack
Phishers are targeting Twitter users in a new attack involving direct messages sent to Twitter users containing a link to a site requesting user log-ins.
- UPDATE: There are reports of a new phishing scam making the rounds on Twitter. The attack seeks to steal user credentials by sending tweets out with links to a phishing site. The attack site requests the user's log-in information; once the attackers have that, they can take over the account of the v...
House Panel Approves Cyber-Security RandD Bill
Legislation calls for federal agencies to create a road map detailing each agencys cyber-security role and the level of funding required to fulfill the research objectives.
- A U.S. House subcommittee Sept. 23 approved legislation requiring federal agencies to develop, update and implement strategic plans for cyber-security R amp;D. The Cybersecurity Research and Development Amendments Act of 2009 calls for agencies to create a road map detailing each agencys cyber-secur...
Six Tips for Keeping Enterprise Data Secure in Cloud Storage
Storing data in the cloud has brought with it its own set of compliance and security concerns -- something underscored recently by a survey by Unisys. The survey revealed that 51 percent of the 312 respondents cited security and data privacy as their top concern regarding cloud data storage. While experts say the public cloud may be ready for certain applications, organizations need to be sure those apps are secure -- and that they can prove it when questioned by auditors. With that in mind, eWEEK spoke to analysts and others in the field and asked them what companies should think about from a security and privacy perspective before pushing their data into the cloud. Here are few of the questions and considerations you should take to your service provider.
- ...
Lawmakers Revive Effort to Deny Retroactive Telecom Immunity
With key provisions of the Patriot Act set to expire and the White House seeking renewal, legislators are proposing a bill that would repeal immunity for telecommunications companies spying on U.S. citizens without warrants.
- With key provisions of the Patriot Act set to expire at the end of 2009, some U.S. senators hope to amend the controversial law by repealing the retroactive immunity for telecommunications companies approved by Congress in 2008. The law forgives telecom companies that spied on U.S. citizens' e-...
McAfee, BMC Software Push Integration for Security Policy Management
McAfee and BMC Software are partnering to integrate BMC BladeLogic Client Automation with McAfee's security management products. The joint solution, the companies say, will help deliver proactive policy remediation to enterprises.
- McAfee and BMCSoftware have agreed to work together to integrate BMC's BladeLogic Client Automation with McAfees policy and security management products. The idea behind the partnership is to bring enterprise IT operations and security management together to eliminate communication gaps, red...
Worldwide Security Software Market to See 8% Increase in 2009
Analysts at Gartner say the security software market is on track to see an 8 percent increase for the year, growing to $14.5 billion. The analyst firm also expects to see more security acquisitions in the near future after buys by Symantec, McAfee and Sophos this year.
- Gartner is predicting the worldwide market for security software will jump 8 percent over last year, despite the economic slowdown. The analyst firm expects the market to total $14.5 billion in 2009. According to Gartner, roughly $6.5 billion of that amount will be in the United States, an 11...
LABS GALLERY: SocialPET Lets Businesses Phish Their Own Employees to Test Security Smarts
One of the biggest security risks that companies face is employees who fall victim to phishing e-mails, which can lead to stolen log-in credentials and virus infections. SocialPET is a simple Web-based testing tool that lets businesses run their own phishing tests to find out which employees understand security procedures and which are at risk to falling prey to real phishing scams.
- ...
Microsoft Issues New Security Workaround for SMB Vulnerability
Microsoft releases an automated tool to help the public disable Server Message Block 2, the company's network file and print sharing protocol. Microsoft officials say they are still working on a patch for the vulnerability, which was disclosed earlier this month.
- Microsoft is telling IT pros to utilize its automated Fix IT tool to deal with an unpatched vulnerability in Server Message Block 2. The flaw in Server Message Block (SMB) 2 was publicly disclosed Sept. 7 and affects Windows Vista, Windows Server 2008 and release candidates of Windows 7. ...
REVIEW: SocialPET Lures End Users into Exposing Security Ignorance
SocialPET is a SAAS application that tests end users' ability to discern dangerous e-mails by sending fake phishing messages and reporting on users' actions. The app is useful for pointing to security weak links, but it is currently pretty bare-boned.
- When it comes to securing a companys infrastructure, there are many different problems to deal with from unpatched servers to poorly secured networking hardware to security applications that dont address all potential threats. But probably the biggest problem is the companys employees. Despite ...
Presidential Internet Kill Switch May Still Be Alive
Sens. Jay Rockefeller and Olympia Snowe originally introduced the Cybersecurity Bill of 2009 to howls of protest over a provision in the legislation that would give the president the unprecedented authority to shut down the Internet for national security reasons. Rockefeller and Snowe retreated and redrafted but still left the issue much in doubt.
- For a bill that has yet to have a public hearing, much less faced a single vote, the Cybersecurity Act of 2009 (S. 773) remains the most controversial technology-related legislation before the current Congress. Introduced by Sens. Jay Rockefeller, D-W.Va., and Olympia Snowe, R-Maine, in April and ...
Security Fix
Brian Krebs on computer and Internet security
'Money Mule' Recruitment Network Exposed
In Web Fraud 2.0
In a blog post earlier this week, Security Fix examined the crucial role of "money mules" -- people in the United States who are willingly or unwittingly recruited to help cyber fraudsters steal money from businesses. In this column, we'll peer a bit deeper into how mules are recruited, and how they often communicate with their employers. Security Fix interviewed one of the mules hired to receive money from Sanford School District, a small school system in Colorado that was robbed of $117,000 last month when hackers used the district's online banking credentials to send sub-$10,000 payments to this mule and 16 others. The mule I spoke with said she was hired by a company called the Scope Group Inc., which claimed to be a nearly 20-year-old investment firm operating out of New York. The Scope Group did not return e-mails seeking comment, but there is no listing for a
Maine Firm Sues Bank After $588,000 Cyber Heist
In Fraud
A construction firm in Maine is suing a local bank after cyber thieves stole more than a half million dollars from the company in a sophisticated online bank heist. On Friday, Sanford, Maine based Patco Construction Co. filed suit in York County Superior Court against Ocean Bank, a division of Bridgeport, Conn. based People's United Bank. The lawsuit alleges that Ocean Bank did not do enough to prevent cyber crooks from transferring approximately $588,000 to dozens of co-conspirators throughout the United States over an eight-day period in May. People's United Bank spokeswoman Valerie Carlson declined to comment for this story, saying the company is aware of the lawsuit but does not discuss pending litigation. According to the complaint, the fraudulent transfers began on Thursday, May 7, when thieves who had hijacked the company's online banking credentials initiated a series of transfers totaling $56,594 to several individuals that had no prior
Microsoft Issues Stopgap Fix for Windows Flaw
In New Patches
Microsoft this week released a stopgap security fix for a critical flaw present in some Windows PCs that could let attackers remotely seize control of vulnerable systems. But as scary as this vulnerability sounds, it may actually be better for some Vista users to wait until Microsoft issues an official update. Microsoft issued the emergency workaround after reports that security researchers were publishing proof-of-concept exploits that attackers might use to figure out how to attack the flaw. The workaround Microsoft released doesn't fix the problem so much as disable the vulnerable component. In the meantime, Redmond says, it is working on developing a more precise, official patch. The flaw resides in the file-sharing capability of Windows Vista and Windows Server 2008 systems. It does not affect Windows XP, Windows 2000 or Windows Server 2003 computers. Microsoft says the vulnerability does not exist in the version of Windows 7 that the
SecurityFocus News
SecurityFocus is the most comprehensive and trusted source of security information on the Internet. We are a vendor-neutral site that provides objective, timely and comprehensive security information to all members of the security community, from end users, security hobbyists and network administrators to security consultants, IT Managers, CIOs and CSOs.
Brief: Twitter warns of direct-messaging worm
Twitter warns of direct-messaging worm
Brief: Apple patches up iTunes playlist flaw
Apple patches up iTunes playlist flaw
>> Advertisement <<
Can you answer the ERP quiz?
These 10 questions determine if your Enterprise RP rollout gets an A+.
http://www.findtechinfo.com/as/acs?pl=781&ca=909
WindowSecurity.com
WindowSecurity.com provides Windows security news, articles, tutorials, software listings and reviews for information security professionals.
ISA Server - Voted WindowSecurity.com Readers' Choice Award Winner - Firewall Software
By info@WindowSecurity.com (The Editor)
ISA Server was selected the winner in the Firewall category of the WindowSecurity.com Readers' Choice Awards. Astaro Security Gateway and Kerio WinRoute Firewall were first runner-up and second runner-up respectively.
Maintaining, Mandating, and Mitigating Privacy in Internet Explorer 8
By (Chris Sanders)
Showcasing some of the enhancements in Internet Explorer 8 and how you can use them to make sure you maintain the privacy level you desire.
Yahoo! News: Security News
Security News
Spammers Like Idaho Best of All (PC World)
In technology
PC World - No one is quite sure why, but Idaho now gets spammed a little more heavily than any other state in the U.S.
PCI Survey Finds Some Merchants Don't Use Antivirus Software (PC World)
In technology
PC World - Consumers face a greater risk of losing control of their data when doing business with smaller retailers, as many haven't made investments to comply with the Payment Card Industry's Data Security Standard (PCI DSS), according to a new survey.
Chinese cyberattacks target media ahead of anniversary (Reuters)
In technology
Reuters - Foreign media in China have been targeted by emails laden with malicious computer software in attacks that appear to be tied to the run-up to the National Day military parade on October 1.
AV Tests Find That Reputation Really Does Count (PC World)
In technology
PC World - New reputation-based antivirus systems are doing a better job of blocking malicious software than did their predecessors.
Malware Blocking Tests Put Trend Micro on Top (PC World)
In technology
PC World - Trend Micro scored well above its competition in new, antivirus test results that gauged whether an antivirus product can block malware you're tricked into downloading.
Zero Day
Tracking the hackers
Microsoft says Google Chrome Frame doubles IE attack surface
By Ryan Naraine on Phishing
Google's decision to introduce a plug-in that runs Google Chrome inside Microsoft's Internet Explorer isn't sitting well with the folks at Redmond.
In search of a standard for displaying security threat levels
By Ryan Naraine on Viruses and Worms
A security researcher is challenging the anti-malware industry to work on a standard way of assigning computer/Internet threat levels to present transparent helpful information to consumers and businesses.
Cisco drops patches for serious IOS vulnerabilities
By Ryan Naraine on Pen testing
Cisco has released a peck of patches to cover multiple security flaws in its flagship Cisco IOS.
Hijacking Windows System Restore for cybercrime profits
By Ryan Naraine on Rootkits
Hackers in China are using a combination of sophisticated techniques to penetrate the hard disk recovery card on computers in Internet cafes to steal billions of dollars worth of online gaming credentials.
Modern banker malware undermines two-factor authentication
By Dancho Danchev on Spyware and Adware
Once pitched as an additional layer of security for E-banking transactions, two-factor authentication is slowly becoming an easy to bypass authentication process, to which cybercriminals have successfully adapted throughout the last couple of years. Modern banker malware, also known as crimeware, is now fully capable of bypassing the two-factor authentication obstacle by doing a simple thing [...]
Google exec calls for ISPs to get tough on botnets
By Ryan Naraine on Spyware and Adware
Head of Google's Anti-Malvertising team Eric Davis wants Internet Service Providers to look beyond profits and take a more proactive approach to dealing with malware-infested computers on their networks.
Scareware scammers hijack Twitter trending topics
By Dancho Danchev on Web 2.0
Researchers from F-Secure and Sophos are reporting on an ongoing scareware serving campaign abusing the popular micro-blogging service Twitter. Hundreds of tweets using four different URL shortening services are currently spammed through the automatically registered Twitter accounts, relying on a pseudo-random text generation using Twitter’s trending topics. This isn’t the first time (Cybercriminals hijack Twitter trending topics [...]
From Gimmiv to Conficker: The lucrative MS08-067 flaw
By Ryan Naraine on Zero-day attacks
GENEVA — The critical MS08-067 vulnerability used by the Conficker worm to build a powerful botnet continues to be a lucrative security hole for cyber criminals. During a presentation at the Virus Bulletin 2009 conference here, a trio of Microsoft researchers dissected the malware attacks linked to MS08-067 and found that criminal gangs are still exploiting [...]
Critical iTunes flaw exposes Mac, Windows to hacker attacks
By Ryan Naraine on Vulnerability research
Apple has shipped iTunes 9.0.1to fix a critical security hole that puts Mac and Windows users at risk of computer takeover attacks.
Posts
