CGISecurity - Website and Application Security News
All things related to website, database, SDL, and application security since 2000.
Microsoft publishes BinScope and MiniFuzz
By Robert A. on Tools
From the download pages. BinScope "BinScope is a Microsoft verification tool that analyzes binaries on a project-wide level to ensure that they have been built in compliance with Microsoft’s Security Development Lifecycle (SDL) requirements and recommendations. BinScope checks that SDL-required compiler/linker flags are being set, strong-named assemblies are in use, up-to-date...
CNET News - Security
LogMeIn can control some PCs, even when off
By Rafe Needleman
During a recent talk with LogMeIn CEO Michael Simon, I learned about the company's new LogMeIn Central dashboard for IT managers, designed to help them keep tabs on thousands of computers at a time.
I also heard about the new version of virtual network service Hamachi, which makes it ...
Originally posted at Rafe's Radar
Google Apps bug: You've got (my) mail
By Elinor Mills
As a result of a bug in a Google Apps e-mail migration tool, some students at Brown University found other students' e-mail in their in-box over the weekend as Google was moving their e-mail from Exchange to Gmail, Google confirmed on Friday.
The problem affected a "handful" of organizations that ...
Originally posted at InSecurity Complex
Why virus writers are turning to open source
By Nick Heath
Malware developers are going open source in an effort to make their malicious software more useful to fraudsters.
By giving criminal coders free access to malware that steals financial and personal details, the malicious software developers are hoping to expand the capabilities of old Trojans.
According to Candid Wüest, ...
Darknet - The Darkside
Ethical Hacking, Penetration Testing & Computer Security
Nasty Trojan Zeus Evades Antivirus Software
By Darknet on zeus trojan
This is one nasty piece of malware, seems like it’s working on a low level as per rootkits, there aren’t many technical details but it may well be operating on a Ring 0 level. The level of detection by AV software is quite scary, especially since the malware is specifically targeting bank login details and it [...]
DarkReading - All Stories
DarkReading
Tech Insight: How To Make Business Partner Security Work
Recommendations on protecting your enterprise from threats posed by business partner systems
New Free Web Service Confirms Theft Of Your Identity
Web-based search service lets individuals check whether their personal information has been compromised
DarkReading - Security News
DarkReading
National Campus Safety Experts Concerned About Recent Spate of Campus Violence
Daryl Hall and John Oates 'Make Dreams Come True' With QVC Debut
SecureWorks, Inc. Streamlines the PCI AOC and FFIEC ITO Self-Assessment Questionnaire Processes with Predefined Assessment Programs and Affiliate Compliance Summary Reports
SAIC Awarded Contract to Support Joint Improvised Explosive Device Defeat Organization
eWeek Security Watch
RSA Uncovers Chat-in-the-Middle Phishing Scheme
In Social engineering
RSA, EMC's security division, has uncovered a new phishing technique it has dubbed "Chat in the Middle" that targets online bankers.
Net Infestation Continues to Spread
In Web 2.0
Security researchers have found that botnet herders are having success at keeping devices infected longer, in addition to keeping the zombie networks themselves up-and-running smoothly.
Federal Computer Week: Security News
Ink Tank
At a glance
The Apple Macintosh operating system and various Windows operating systems differ in many ways, but they each have their Achilles' heel.
Boeing gets one-year extension on SBInet contract
U.S. Customs and Border Protection exercised its option to extend its SBInet border surveillance contract with Boeing Co. for a year.
DOD opens some classified information to non-federal officials
Some officials working at state and local intelligence fusion centers will have limited access to data on the Defense Department's classified network.
Lawmakers hit DHS on electronic border surveillance system
Lawmakers scolded Homeland Security Department officials for the latest round of delays on the SBInet electronic border surveillance project.
Can virtualization solve security problems?
The Defense Department is seeking information on whether the technology can bolster data and infrastructure security.
Marines' social-media ban is bad for morale
Rather than telling troops to get off Twitter and Facebook, the military should educate them about security.
Info Security News (isn) Mailing List
Carries news items (generally from mainstream sources) that relate to security.
Misdirected spyware infects Ohio hospital
Posted by InfoSec News on Sep 18
http://www.cio.com.au/article/319073/misdirected_spyware_infects_ohio_hospital
By Robert McMillan
IDG News Service
18 September, 2009
It was a bad idea from the start, but even as bad ideas go, this one went horribly wrong.
A 38-year-old Avon Lake, Ohio, man is set to plead guilty to...
Security-leak hacker jailed
Posted by InfoSec News on Sep 18
http://www.gulf-daily-news.com/NewsDetails.aspx?storyid=259961
By NOOR TOORANI
Gulf Daily
September 17, 2009
A GOVERNMENT emp-loyee, accused of leaking classified information about Bahraini intelligence agents, did it out of revenge, it...
Inmate fesses to prison computer hack
Posted by InfoSec News on Sep 18
http://www.theregister.co.uk/2009/09/16/prison_computer_hack_guilty_plea/
By John Leyden
The Register
16th September 2009
A former US inmate has pleaded guilty to hacking into the prison's computer system to obtain the personal data of more than 1,100 prison service workers.
Francis G...
Secunia Weekly Summary - Issue: 2009-38
Posted by InfoSec News on Sep 18
The Secunia Weekly Advisory Summary 2009-09-10 - 2009-09-17 This week: 72 advisories
========================================================================
...
Security will not come naturally with IPv6
Posted by InfoSec News on Sep 18
http://gcn.com/articles/2009/09/17/ipv6-security.aspx
By William Jackson
GCN.com
Sept 17, 2009
IPv6 can be used to block, shield and hide data on your network, and the hackers already are learning to take advantage of this.
"is is what black hats are doing right now: They are...
InformationWeek Security News
InformationWeek
Microsoft Files Five Lawsuits To Halt Malicious Advertising
By Thomas Claburn
In an effort to protect Windows users, Microsoft is suing unidentified scammers for distributing malware through online ads.
Firefox Security Warnings About Flash Get Results
By Thomas Claburn
By warning users that they're using out-of-date plug-ins, Mozilla's Firefox is helping to immunize the online community from malware contagion.
Firefox Security Warnings About Flash Get Results
By Thomas Claburn
By warning users that they're using out-of-date plug-ins, Mozilla's Firefox is helping to immunize the online community from malware contagion.
Consumers Accept Device Fingerprinting, Study Finds
By Thomas Claburn
To fight online fraud, consumers are warming to the idea of technology that identifies the device they're using.
InSecurity Complex
Keeping tabs on flaws, fixes, and the people behind them.
Google Apps bug: You've got (my) mail
By Elinor Mills
As a result of a bug in a Google Apps e-mail migration tool, some students at Brown University found other students' e-mail in their in-box over the weekend as Google was moving their e-mail from Exchange to Gmail, Google confirmed on Friday.
The problem affected a "handful" of organizations that ...
McAfee Avert Labs
Cutting edge security research as it happens.......
Search-Engine Manipulation Evolves as Trust Abuse Grows
By Craig Schmugar on Web and Internet Safety
I revisited the topic of search-engine manipulation (a.k.a. blackhat SEO) in two recent posts. Something caught my eye while investigating cases of search-result poisoning–a shift away from tactics used by the attackers earlier in the year. Previously, attackers mostly registered free websites to pull off their attacks. They would create a bunch of new sites, cross-link them, and [...]
Private Jet-Set Network Hacked
By Francois Paget on Web and Internet Safety
We hear a lot about cybercrime events concerning Facebook or Myspace, but do you know ASmallWorld? It is a private international community for the jet-set crowd and culturally influential people. Yesterday the French police force (OCLCTIC), accompanied by FBI agents, arrested two French residents. They were suspected of hacking this social-network platform dedicated to the worldwide [...]
Network World on Security
The latest security news, analysis, reviews and feature articles from NetworkWorld.com.
Tables Turned on Hacker Site
Here's one to make you smile. An underground malware and hacking forum got a taste of its own medicine when it was itself hacked by a digital vigilante.
Site offers Facebook account break-ins for $100
Security vendor PandaLabs has discovered an online service offering to help those so inclined to hack into any Facebook account they choose for a price: $100.
Microsoft's 'Malvertising' Battle: A Tough Fight to Win
Microsoft's hoping to find the people who've disguised malware as advertising and hold them accountable. The software company announced it's filing five civil lawsuits against businesses that have taken up ads designed to transmit viruses and other harmful material. The catch, however, is that no one actually knows where those businesses are -- or who's behind them.
UK politicians question the safety of mega databases
U.K. politicians are increasingly questioning the safety of holding vast amounts of information in databases despite government plans to rely on them more to battle terrorism, crime and immigration problems.
HHS guts health-care breach notification law, groups warn
Privacy and civil rights advocates have accused the U.S. Department of Health and Human Services of trying to neuter a landmark data breach notification law for health care organizations that is scheduled to go into effect next week.
Man gets 15 months for E-Trade skimming scam
A California man was sentenced to 15 months in prison on Thursday after he pleaded guilty to opening tens of thousands of bogus online brokerage accounts and then pocketing the tiny test deposits made by companies like E-Trade Financial and Charles Schwab.
Microsoft sues scareware scammers
Microsoft filed lawsuits against five companies Thursday, accusing them of using malicious advertisements to trick victims into installing software on their computers.
Sophisticated botnet causing a surge in click fraud
A new botnet has caused a sharp spike in click fraud because it is skirting the most sophisticated filters of search engines, Web publishers and ad networks, according to Click Forensics.
Cerf: Turning off pieces of the 'Net 'not sensible'
In an exclusive interview, the Internet 'father' explains how he helped commercialize the Web and what he's doing now at Google
Firefox's Flash check drives 10M to Adobe's download
Mozilla said that Firefox's check for outdated editions of Adobe's Flash Player convinced 10 million users to go to Adobe's Web site and grab the latest software in a week.
Misdirected spyware infects Ohio hospital
It was a bad idea from the start, but even as bad ideas go, this one went horribly wrong.
Google's Buy of reCAPTCHA Hurt Internet Security?
Absorbing reCAPTCHA, the word-verification Internet security organization, was a natural progression for the Google Book Project. The CATPCHA (Completely Automated Public Turing test to tell Computers and Humans Apart) technology creates randomly generated words that appear as images, making it difficult for computers to read. These words are derived from scanned print materials.
Fed cloud plan is wisely tempered by security concerns
The federal CIO is pushing for government use of cloud services immediately, and the way he is going about it can teach a lesson to businesses struggling with how to use these services securely.
Will security concerns darken Google's government cloud?
When Google launches its cloud computing services for federal government agencies next year, one of its biggest challenges will be to overcome concerns related to data privacy and security in cloud environments.
The Register - Security
Biting the hand that feeds IT
Disconnection phone scam targets UK consumers
BT and Ofcom warn over nascent con
Scammers posing as representatives of phone service providers, such as BT, are calling up UK subscribers in an attempt to trick prospective marks into handing over credit card or bank details under threat of disconnection.…
Brute-force attacks target two-year hole in Yahoo! Mail
Your password is 123456
Scammers are exploiting a two-year-old security hole in Yahoo's network that gives them unlimited opportunities to guess login credentials for Yahoo Mail accounts, a researcher said.…
California man jailed for E*Trade skim scam
Salami-slice fraudster heads for the can
A man who scammed online brokerages including E*Trade and Charles Schwab by stealing a huge number of tiny test deposits from multiple accounts was jailed for 15 months on Thursday.…
US software firm sentenced for 'trading with the enemy'
Cuban heels
A US software company has been sentenced by a federal judge for "trading with the enemy."…
Malvertisers slapped by Microsoft lawsuits
Virus and scareware writer hunt
Microsoft has filed what are believed to be the first lawsuits designed to stop the growing practice of malvertising…
Facebook hack service smells fishy
Supposed hackers may be scamming the terminally nosey
Eastern European hackers are offering to crack into any Facebook account for a fee of $100, payable online through Western Union, though circumstantial evidence suggests that the scheme might just as easily be geared towards ripping-off potential clients while delivering nothing.…
So you wanna build an Application Security Programme
People, process, technology and more
Webcast Whether you're already knee-deep in security challenges or about to embark on such a strategy, we have a webcast that you should find useful.…
NYT scareware scam linked to click fraud botnet
Ukrainian fan club cheer on all sorts of mischief
A botnet, initially run through compromised servers in the Bahamas, has been blamed for the recent upsurge in scareware scams.…
Carder forum drops offline after hack attack
White hat cavalry shoot up black hat site
A Pakistan-based carder site has dropped off the net, after white hat hackers broke into the forum and posted details of the hack on a full disclosure mailing list.…
World's nastiest trojan fools AV software
Pounces on banking passwords
One of the world's nastiest password-stealing trojans evades detection by the majority PCs running anti-virus programs, according to a study that examined 10,000 machines.…
US healthcare data plan slammed for encryption get-out clause
We decide who needs to know
New data breach rules for US healthcare providers have come under criticism from a security firm that specialises in encryption.…
IETF forges botnet clean-up standard
Shooting zombie PCs in the head
The IETF is developing a standard for how ISPs should go about cleaning up subscriber botnet infections.…
Fraudsters add IM to phishing attacks
Hi! What's your mother's maiden name?
Fraudsters have begun experimenting with introducing IM chats to phishing attacks.…
SANS Internet Storm Center, InfoCON: green
Sysinternals Tools Updates, (Sat, Sep 19th)
Once again Mark Russinovitch and company have made updates to some of the SysInternals tools. ...(more)...
Results from Webhoneypot project, (Fri, Sep 18th)
[Cross posting with App Sec Streetfighter blog] The SANS ISC Webhoneypot project was started over a ...(more)...
Snort 2.8.5 is out, (Thu, Sep 17th)
A new version of popular open source IDS has been released. There are some cool new features of whic ...(more)...
SANS NewsBites
All Stories From Vol: 11 - Issue: 73
SANS Report: Top Cyber Security Risks Underestimated By Industry/Government (September 16, 2009)
The SANS Institute's Top Cyber Risks Report found that two types of vulnerabilities are responsible for the majority of attacks.......
HHS Harm Standard Offers HIPAA-Covered Entities Breach Notification Loophole (September 16 & 17, 2009)
New rules from the US Department of Health and Human Services (HHS) exempt organizations that are subject to HIPAA from notifying consumers of data security breaches if they use encryption or data destruction or if the incident does not meet the harm standard described in the new rules.......
Trend Micro Study Finds Malware Often Remains For Months (September 15 & 16, 2009)
A study from Trend Micro found that malware sticks around on computers it infects.......
French Legislators Approve Revamped Three-Strikes Anti-Piracy Bill (September 15 & 16, 2009)
By a 285 to 225 vote, French legislators have approved a law that would put in place a system that could be employed to cut off Internet access of persistent illegal downloaders.......
IETF Publishes Draft Document on Botnet Remediation (September 15 & 17, 2009)
The Internet Engineering Task Force (IETF) has published a draft standard for Internet service providers (ISPs) regarding how to clean up botnet infestations.......
Firefox Outdated Flash Notification Leads 10 Million to Update (September 17, 2009)
Approximately 10 million Firefox users have followed the link provided by the newest release of Firefox that allows them to update the version of Adobe Flash running on their computers.......
Spyware Intended for Girlfriend Ended Up on Hospital Network (September 17, 2009)
An Ohio man will plead guilty to federal charges after spyware he sent to a woman ended up on a hospital computer system.......
Sears Ordered to Destroy Collected Customer Data (September 16, 2009)
The US Federal Trade Commission (FTC) has ordered Sears to destroy customer data it collected with online tracking software.......
Former Inmate Pleads Guilty to Stealing Prison Worker Data (September 16, 2009)
Former prison inmate Francis G.......
TIGTA Audit Reports Find IRS Has Made Security Improvements (September 15. 2009)
The Treasury Inspector general for tax administration (TIGTA) has released two audit reports regarding the US Internal Revenue Service's (IRS) attention to security issues raised in earlier reports.......
Heartland CEO Pushes for End-to-End Encryption (September 14 & 15, 2009)
Heartland Payment Systems CEO Robert Carr told a US Senate committee that the payment card industry needs to adopt end-to-end encryption to protect consumers, financial institutions and payment processors from payment card fraud.......
SearchSecurity: Security Wire Daily News
The latest information security news on IT threats, vulnerabilities and market trends from the award-winning SearchSecurity.com.
New Bahama botnet evades search engines, fuels click fraud
By Robert Westervelt
Researchers at Click Forensics have discovered a new botnet that is evading search engines and responsible for a spike in click fraud traffic and popup adware.
SecuriTeam
Welcome to the SecuriTeam RSS Feed - sponsored by Beyond Security. Know Your Vulnerabilities! Visit BeyondSecurity.com for your web site, network and code security audit and scanning needs.
HP-UX Running bootpd, Remote Denial of Service Vulnerability
A potential security vulnerability has been identified with HP-UX running bootpd. The vulnerability could be exploited remotely to create a Denial of Service (DoS).
Iret Pre-commit Handling Failures With Notes On NetBSD Privilege Elevation
NetBSD kernel on x86 does not handle pre-commit failures properly. It is possible to make iret fail pre-commit by having tempEIP outside the code segment limits.
RADactive I-Load Multiple Vulnerabilities
I-Load is an ASP.NET component explicitly created to manage image uploading within ASP.NET applications. The I-Load component contains multiple vulnerabilities: Path Disclosure, Cross Site Scripting, File Disclosure and Arbitrary File Upload.
Quiksoft EasyMail imap onnect() ActiveX Stack Overflow Exploit
Remotely exploitable buffer overflow in ActiveX component Quiksoft EasyMail 6.0.3.0 allows for the arbitrary code execution in the user context.
Security - RSS Feeds
Security - RSS Feeds
Malware Defensive Techniques Will Evolve as Security Arms Race Continues
For security researchers, beating attackers means keeping an eye on what is happening while paying attention for signs of what lies ahead.
- When it comes to fighting malware, researchers have to both keep their eyes on the present and foresee what the future may hold before the next threat is on their doorstep. While the majority of malware attacks stick to tried and true methods, malware authors are getting better at b...
Security Researchers Find Alleged Facebook Hacking Service
PandaLabs discovers a service offering to hack any Facebook account for $100. But security researchers say the site is likely a scam.
- PandaLabs has uncovered an online service offering to hack Facebook accounts for a fee. But would-be customers may find out the joke is on them. According to PandaLabs, the service which was discovered this week offers to break into Facebook accounts in exchange for $100. But researchers at Pa...
Microsoft Files 5 Lawsuits to Fight Malicious Ads
Microsoft has filed five lawsuits in Superior Court in Seattle to combat malicious advertising. The problem of attackers using malicious ads to ensnare users has been in the spotlight recently after a malicious ad was discovered on The New York Times Website.
- Microsoft has filed five lawsuits targeting malicious online advertisers. The company filed the suits in King County Superior Court in Seattle. The suits allege that a group of individuals using the business names "Soft Solutions," "Direct Ad," "qiweroqw.com," "ITmeter INC." and "ote2008.in...
Bahama Botnet Discovered as Source of Click Fraud Surge
Click Forensics discovers a botnet behind a significant spike of click fraud traffic. As in the recent scam making use of NYTimes.com, attackers are using fake antivirus software to infect PCs.
- Click Forensics has found an unusually large spike in click fraud traffic coming from a new botnet apparently eluding the filters of search engines, publishers and ad networks alike. Dubbed the quot;Bahama botnet, quot; the network of compromised computers is distributing malware while masking...
SecurityFocus News
SecurityFocus is the most comprehensive and trusted source of security information on the Internet. We are a vendor-neutral site that provides objective, timely and comprehensive security information to all members of the security community, from end users, security hobbyists and network administrators to security consultants, IT Managers, CIOs and CSOs.
Brief: Social-networking sites short on security
Social-networking sites short on security
News: Popular apps need better patching, says report
Popular apps need better patching, says report
Yahoo! News: Security News
Security News
Microsoft's 'Malvertising' Battle: A Tough Fight to Win (PC World)
In technology
PC World - Microsoft's hoping to find the people who've disguised malware as advertising and hold them accountable. The software company announced it's filing five civil lawsuits against businesses that have taken up ads designed to transmit viruses and other harmful material. The catch, however, is that no one actually knows where those businesses are -- or who's behind them.
Tables Turned on Hacker Site (PC World)
In technology
PC World - Here's one to make you smile. An underground malware and hacking forum got a taste of its own medicine when it was itself hacked by a digital vigilante.
Microsoft Sues Five Companies Over Malware Ads (PC Magazine)
In technology
PC Magazine - Microsoft on Thursday filed five civil lawsuits against companies that have allegedly been engaged in malicious online advertising, or "malvertising."
Misdirected Spyware Infects Ohio Hospital (PC World)
In technology
PC World - It was a bad idea from the start, but even as bad ideas go, this one went horribly wrong.
Google's Buy of reCAPTCHA Hurt Internet Security? (PC World)
In technology
PC World - Absorbing reCAPTCHA, the word-verification Internet security organization, was a natural progression for the Google Book Project. The CATPCHA (Completely Automated Public Turing test to tell Computers and Humans Apart) technology creates randomly generated words that appear as images, making it difficult for computers to read. These words are derived from scanned print materials.
Will Google's Buy of reCAPTCHA Hurt Internet Security? (PC World)
In technology
PC World - Absorbing reCAPTCHA, the word-verification Internet security organization, was a natural progression for the Google Book Project. The CATPCHA (Completely Automated Public Turing test to tell Computers and Humans Apart) technology creates randomly generated words that appear as images, making it difficult for computers to read. These words are derived from scanned print materials.
Zero Day
Tracking the hackers
Microsoft ships one-click 'workaround' for critical SMB2 flaw
By Ryan Naraine on Zero-day attacks
With exploit code in circulation and facing a race against time to fix the SMB v2 vulnerability haunting Windows Vista and Windows Server 2008, Microsoft has shipped a one-click "fix-it" workaround to help users avoid malicious hacker attacks.
Sun patches 'critical' StarOffice/StarSuite flaw
By Ryan Naraine on Patch Watch
Sun Microsystems has shipped a fix for a critical vulnerability affecting its StarOffice/StarSuite product lines.
'Bahama' botnet linked to click-fraud surge
By Ryan Naraine on Spyware and Adware
Researchers at Click Forensics have stumbled upon a click-fraud botnet using a series of sophisticated redirection tricks to cheat search engine filters.
PBS.org hacked, serving malware cocktail
By Ryan Naraine on Viruses and Worms
Some sections of the popular PBS.org Web site have been hijacked by hackers serving up a cocktail of dangerous exploits.
Remote exploit released for Windows Vista SMB2 worm hole
By Ryan Naraine on Uncategorized
A team of security researchers have created a reliable remote exploit capable of spawning a worm through an unpatched security hole in Microsoft's Windows operating system.
Firefox Flash patch nudge working, but...
By Ryan Naraine on Open source
Mozilla's move to nudge Firefox users into updating the browser's Flash Player plug-in is being hailed as a "phenomenal" success but the majority of Web surfers are still unpatched.
Posts
No comments:
Post a Comment