Aurora Report: Around The Horn vol.1,156

Ars Technica - Security

4chan prank morphs into malware attack in Kanye death hoax

By jacqui@arstechnica.com (Jacqui Cheng) on scareware

Fake celebrity death reports are nothing new to the Internet—a quick search shows that in just the last few years, there have been rumors spread about the death of Britney Spears, Michael Jackson (uh, before he actually died), Justin Timberlake, Will Farrel, Sean Connery, and more. But with the proliferation of malware, celebrity death rumors can take on new life if spammers pick up on the trend. That's what happened overnight—a fake report about the death of Kanye West, originating as a prank, got co-opted by those looking to exploit your computer.

Americans fear online robberies more than meatspace muggings

By hannibal@arstechnica.com (Jon Stokes) on tech_policy

A new survey shows, perhaps unsurprisingly, that more Americans are worried about being robbed online than they are about being mugged in real life. The bi-annual Unisys Security Index found that Americans fear fraudulent use of their personal credit and debit cards significantly more than they fear for their personal safety; and, in a change from the previous March survey, Americans fear for the nation's security even more than they do the security of their finances. Americans are also much more concerned about pandemic flu viruses than they are computer viruses, and they're a little less concerned about paying their bills than they were in the first half of the year.

One week of MSE: 1.5 million downloads, 4 million detections

By emil.protalinski@arstechnica.com (Emil Protalinski) on Windows

Redmond has released data from the first week (between September 29 to October 6) of Microsoft Security Essentials (MSE) usage, the company's free, real-time consumer antimalware solution for fighting viruses, spyware, rootkits, and Trojans. The product was made generally available to consumers in 19 countries in eight languages, and in the first week Microsoft says it has seen well over 1.5 million downloads. "By the end of week two, we had exceeded 2.6 million downloads," a Microsoft spokesperson told Ars. Number of downloads is never equivalent to the number of installs though: the software giant can't say how many machines have the software installed, but it can weigh in on the number of infected machines.

Businesses fail to take basic steps to prevent ID fraud

By jtimmer@arstechnica.com (John Timmer) on security

On Tuesday, we discussed how many organizations have password policies that don't take the actual properties of human beings into account, and thereby leave their computer systems at risk of malicious attack. In the UK, this week is National Identity Fraud Prevention Week, and a number of surveys of consumer and organizational behaviors are being released in conjunction with this attempt to raise awareness. Collectively, the information in these surveys show that an indifference to security measures is pervasive in many businesses.

We obtained the results of two surveys from the organization that is running National Identity Fraud Prevention Week. The first was produced by the UK's National Fraud Authority, which surveyed the employees of over 500 small businesses. The second was a survey of both consumers and office workers in Europe that was sponsored by Fellowes, which makes paper shredders. Obviously, that company has an interest in heightening awareness of potential security lapses, but the methods used seem fairly standard, and the results pick up national differences in attitudes towards security and identity theft.

Windows 7 testers invited to ongoing MSE beta program

By emil.protalinski@arstechnica.com (Emil Protalinski) on Windows 7

Microsoft today sent out an e-mail to the Windows 7 beta program testing group that reveals some key information about Microsoft Security Essentials (MSE), the company's newly released, free, real-time consumer antimalware solution. First off, the e-mail explains that Microsoft is planning to roll out an ongoing beta program for MSE that will have new private beta builds and a much bigger number of testers. Secondly, the e-mail explains that the first group of invitees are participants of the Windows 7 beta program. Finally, Microsoft notes that those who are not selected to participate in the beta (those who get in will know by November 1, 2009) will have an opportunity to participate in a Customer Preview Program, available next year.

30 years of failure: the username/password combination

By jtimmer@arstechnica.com (John Timmer) on security

A lot of the effort involved in establishing a secure computing environment focuses on technological solutions, from providing warnings about phishing attacks to blocking the propagation of botnets. But, as previous research has shown, security involves a significant human component. Nowhere is that more true than the item at the heart of basic security: the humble password. Here, our best practices—something that's not in the dictionary or written down, differs for every account, etc.—ignores basic research, which shows that humans have a limited capacity to associate random text with, well, just about anything. A new survey of institutional IT users provides a glimpse into just how bad the password situation is, with less than five percent of users managing to use best practices.

What is perhaps most striking about the new study, which is being published in the Proceedings of the Human Factors and Ergonomics Society, is its background section, which details just how long we've been aware of the password problem. It cites a study of Unix passwords from 1979, which showed that about 30 percent of the passwords were four characters or less, and about 15 percent being words that appear in the dictionary. Fast forward to 2006, when a separate survey of 34,000 MySpace passwords revealed that the most common were "password1", "abc123", "myspace1", and "password".

Simple script trips up Microsoft Security Essentials

By emil.protalinski@arstechnica.com (Emil Protalinski) on VBS

An Ars forum member by the name of adminfoo recently installed Microsoft Security Essentials (MSE) to see what all the fuss was about. To his surprise, the security solution quickly labeled him as a malware author. MSE apparently was not quite happy with a .VBS script he had written, and so he decided to dig deeper. His analysis prompted us to do some digging of our own.

After investigating, we've come to a few conclusions: this is a false positive (a file or program that is not dangerous but is detected as such), Microsoft needs to be much quicker to react to false positives (though this is the first one we've seen trip MSE up), and the company's new consumer solution is a much more complicated piece of software than most believe.

First Windows 7 security updates available

By emil.protalinski@arstechnica.com (Emil Protalinski) on Windows Server 2008 R2

As expected, Microsoft today had its largest Patch Tuesday to date, and it includes the first security fixes for Windows 7 and Windows Server 2008 R2. The vulnerability in question could allow a denial of service attack via a maliciously crafted packet during the NTLM authentication process, as described in Security Bulletin MS09-059. Windows XP, Windows Server 2003, Windows Vista, and Windows Server 2008 are also affected, though XP and Server 2003 are only vulnerable if they have previously installed the non-security update described in KB968389.

How to break up in an online world—and avoid e-stalkers

By jacqui@arstechnica.com (Jacqui Cheng) on Twitter

In this age of electronic communications and social networks, breaking up with someone can be even more of an ordeal than it has been in the past. A divorce or major breakup can be messy enough without the added reminders about what your ex is up to every hour of the day or who he or she is going out with on the weekends. Plus, there's always that risk that your ex is of The Crazy(tm) variety and is using your social networking updates to ensure that you cannot possibly move on with your life if he or she can help it.

For those who keep a tight leash on who has access to their Internet activities, the solution to this problem might seem obvious. Still, there are legions who don't immediately think of the laundry list of Internet ties to cut when they end up parting ways with a significant other. (We have even heard from several readers about dealing with this issue.) It's those people this guide is aimed at.

CGISecurity - Website and Application Security News

All things related to website, database, SDL, and application security since 2000.

Metasploit sold to Rapid7

By Robert A. on Security Tools

It was announced this morning that Rapid7 has purchased metasploit, and hdmoore! That is all. Rapid7 Announcement: http://www.rapid7.com/metasploit-announcement.jsp Metasploit Blog: http://blog.metasploit.com/2009/10/metasploit-rising.html Metasploit Blog: http://blog.metasploit.com/2009/10/joining-team.html More Coverage http://www.andrewhay.ca/archives/1085 http://blog.ianetsec.net/perspective/2009/10/nick-selby-metasploit-acquisition-shakes-up-the-pentest-landscape.html http://darkreading.com/vulnerability_management/security/management/showArticle.jhtml?articleID=220800067

OWASP Publishes Transport Layer Protection Cheat Sheet

By Robert A. on IndustryNews

"This article provides a simple model to follow when implementing transport layer protection for an application. Although the concept of SSL is known to many, the actual details and security specific decisions of implementation are often poorly understood and frequently result in insecure deployments. This article establishes clear rules which provide guidance...

WASC Announcement: 2008 Web Application Security Statistics Published

By Robert A. on WASC

The Web Application Security Consortium (WASC) is pleased to announce the WASC Web Application Security Statistics Project 2008. This initiative is a collaborative industry wide effort to pool together sanitized website vulnerability data and to gain a better understanding about the web application vulnerability landscape. The statistics was compiled from web application...

One character mistake knocks .se TLD offline

By Robert A. on IndustryNews

"What was essentially a typo last night resulted in the temporary disappearance from the Internet of almost a million Web sites in Sweden -- every address with a .se top-level down name. According to Web monitoring company Pingdom, which happens to be based in Sweden, the disablement of an entire top-level domain...

CNET News - Security

Microsoft fixing Bing bug that aided spammers

By Elinor Mills

Microsoft on Wednesday said it is fixing a bug in Bing that allowed spammers to bypass spam filters and distribute malicious links.

Researchers at Webroot Software discovered a spam campaign earlier this week that used the search engine's own redirection mechanism and a link-shrinking technique to send people to ...

Originally posted at InSecurity Complex

ChoicePoint to pay $275,000 in latest data breach

By Elinor Mills

ChoicePoint, one of the nation's largest data brokers, has been fined $275,000 by the U.S. Federal Trade Commission for a data breach that exposed personal information of 13,750 people last year.

In April 2008, ChoicePoint turned off a key electronic security tool that it used to ...

Originally posted at InSecurity Complex

Time Warner testing fix to hole in home router

By Elinor Mills

This is the SMC8014WG-S cable modem/Wi-Fi router provided to Time Warner cable customers that has a security hole.

(Credit: SMC)

Time Warner has rolled out a temporary patch and is testing a permanent fix for a security hole in a combination cable modem/Wi-Fi router that could allow anyone ...

Originally posted at InSecurity Complex

Leaking crypto keys from mobile devices

By Elinor Mills

Security researchers have discovered a way to steal cryptographic keys that are used to encrypt communications and authenticate users on mobile devices by measuring the amount of electricity consumed or the radio frequency emissions.

The attack, known as differential power analysis (DPA), can be used to target an unsuspecting victim ...

Originally posted at InSecurity Complex

CIA to start spying on social media?

By Don Reisinger

Visible Technologies, a company that monitors online social activity and packages the findings for clients, has forged a "strategic partnership" with In-Q-Tel, the CIA's not-for-profit investment arm, to give the organization insight into social media.

The deal was first reported on Monday by Wired.

According to Visible Technologies, In-Q-Tel ...

Originally posted at Webware

Podcast: Symantec says beware of rogue security software

By Larry Magid

If you've ever gotten a pop-up message warning that your PC is infected, it could very well be an advertisement for rogue software that can do a lot of harm and absolutely no good.

Symantec has just issued a report saying that the company has "detected over 250 distinct

...

Originally posted at For the Record

Windows 7 security in pictures

By Seth Rosenblatt

Security in Windows 7

See what security features are new and improved in Windows 7 in this slideshow, emphasizing what you can do from the Action Center's security tools.

Originally posted at Windows 7 Insider

Gartner: Loosen up on social networks, security

By Stephen Shankland

ORLANDO, Fla.--OK, IT managers, it's time to loosen up.

That's how analysts advised Gartner Symposium attendees here Monday, arguing that corporate computing departments shouldn't block social networking and that security shouldn't completely lock down communications with the outside world. And even if information technology authorities want to shut down such activity, they can't.

Gartner analyst Carol Rozwell

Carol Rozwell, a Gartner vice president

(Credit: Stephen Shankland/CNET)

"Banning access to social media from the corporate network is futile," said Carol Rozwell, a Gartner vice president. "The world we live in is digitally enabled and socially connected."

The advice reflects the transformation of the information technology world as the Internet steadily pervades more and more corners of everybody's life. Although the Gartner event historically has concerned itself with matters such as justifying the expense of a new enterprise resource management computing system, the broadening show reflects the growing scope of work that IT managers face.

Overall, companies must acknowledge that not everything is under control of their own top-down administration, said Peter Sondergaard, senior vice president of research at Gartner.

"We're moving from control to greater autonomy," Sondergaard said. Managers also must find an appropriate place on the spectrums of in here vs. out there and owned vs. shared.

...

Originally posted at Deep Tech

Part 2: Q&A with Jeff Moss on computer hacking

By Elinor Mills

Jeff Moss

(Credit: Darington Forbes)

Like many young hackers, Jeff Moss got his start copying computer games, learned how to program, and began to explore the world through a modem.

Unlike many young hackers, Moss has managed to turn his computer and social-networking skills into a business. He founded Defcon, ...

Originally posted at InSecurity Complex

Firefox blocks insecure .Net add-on--awkwardly

By Stephen Shankland

Mozilla on Friday disabled a Microsoft plug-in for Firefox called the .Net Framework Assistant because of a security problem--then scrambled to give people with patched systems an override option.

Mike Shaver, Mozilla's vice president of engineering, announced the first step late Friday night on his blog. "It's recently ...

Originally posted at Deep Tech

AVG Free 9 in pictures

By Seth Rosenblatt

AVG Free 9--photos

Most of what's new in AVG Free 9 is under the hood, with the security vendor talking up speedier scan times. There's also a new identity protection feature that's free to people in the United States.

Also in this slideshow, I show an easy ...

Originally posted at The Download Blog

Kaspersky CEO: You need an Internet 'passport'

By Vivian Yeo

Eugene Kaspersky once told a competitor to his face: "I will eat you."

Eugene Kaspersky

(Credit: Kaspersky Lab)

The co-founder and CEO of Kaspersky Lab was certainly not into cannibalism, but was hell-bent on winning over the majority market share his competitor had in the company's base in Russia. ...

Q&A: Defcon's Jeff Moss on cybersecurity, government's role

By Elinor Mills

Jeff Moss, founder of Black Hat and Defcon.

(Credit: Darington Forbes)

As a hacker and organizer of Defcon, an event where computer security vulnerabilities and exploits are routinely unveiled, Jeff Moss seemed an unusual choice when he was named to the Homeland Security Advisory Council in June.

But his background and lack of government experience brings a fresh, outsider's perspective to a public sector plagued by a fast-changing threat landscape, perpetual turf wars, and bureaucratic inertia.

With National Cyber Security Awareness Month under way, CNET News discussed with Moss his new role, his thoughts on the national ID card debate, and how the government wants to use social media sites for public emergency alerts. This edited interview is the first of two parts. Part two will run on Monday.

Q: So, how's it going on the Homeland Security Advisory Council?
Moss: It's going pretty well, it's pretty exciting actually. Recently we did a recommendation, I'm sure you read about it, the homeland security color codes. There are the five color codes. Normally the country is on like yellow or orange. I think we've only been to red once. But we've never been to the two lowest, blue and green. So the system was up for review. It turns out that the color codes work really well for industry and government. They have procedures in place. They do things automatically when the color codes are changed. It is actually successful for them but for the third group that uses them, civilians, it actually doesn't work well at all.

Right. We don't understand it. We're like, what does it mean? Is it real?
Moss: How does it give us any actionable information? How should we change our behavior based on it? That's what came out of the report was that it's very hard for civilians to do anything with it and it causes confusion, and it's the No. 1 source of ridicule. The system needs to stay because it's valuable for the other two groups, but it needs to change was the conclusion of the report. So they had a couple of recommendations and one was to just get rid of the two lowest colors because honestly we've never been at them; make the new normal orange. Three levels is probably more realistic than having five. The U.K. doesn't have five either, I think they have three.

...

Originally posted at InSecurity Complex

AVG Free 9 offers speed, lacks etiquette

By Seth Rosenblatt

CORRECTED October 15, 2009, 11:45 a.m.:The default search choice is not changed, as was mistakenly reported earlier. Also, it's not the user's home page that gets changed, but the new tab page. I've clarified the nonmandatory nature of the LinkScanner toolbar, and added information ...

Originally posted at The Download Blog

Podcast: Symantec researcher on biggest Patch Tuesday ever

By Larry Magid

...

Originally posted at For the Record

Google's Postini suffers prolonged e-mail delays

By Tom Krazit

As of 2:15 p.m. Tuesday e-mail delivery had started to return to normal for some Postini customers, although problems remained.

(Credit: Screenshot by Tom Krazit/CNET)

Some customers of Google's Postini e-mail security product experienced significant problems Tuesday, with reports of hours-long delays in e-mail delivery that ...

Originally posted at Relevant Results

Adobe fixes 28 holes in Reader and Acrobat

By Elinor Mills

Adobe on Tuesday released a security bulletin that includes fixes for 28 vulnerabilities in Adobe Reader and Acrobat, including a critical hole that has reportedly been exploited in the wild in limited attacks.

Affected software includes version 9.1.3 of Reader and Acrobat; Acrobat 8.1.6 for Windows, ...

Originally posted at InSecurity Complex

AVG LinkScanner can detect malicious short URLs

By Lance Whitney

URL shorteners may be handy for your tweets on Twitter. But they're also known security holes since they don't display the actual address of your destination. A free tool from security vendor AVG may provide a solution.

AVG has updated its free LinkScanner tool to detect malicious pages ...

Critical Windows 7 holes fixed in record Patch Tuesday

By Elinor Mills

Microsoft released a record number of 13 bulletins for 34 vulnerabilities on Patch Tuesday--and the first critical update for Windows 7--as well as fixes for zero-day flaws involving Server Message Block (SMB) and Internet Information Services (IIS).

The most severe of the three SMB flaws, which were first reported last month, ...

Originally posted at InSecurity Complex

Internet breaks in Sweden after DNS maintenance error

By Elinor Mills

A problem during routine maintenance of Sweden's top-level domain, .se, took down the Internet for the country for about an hour on Monday night.

Basically, the .se registry used an incorrectly configured script to update the .se zone, Sweden-based Pingdom, which monitors Web site performance, wrote in a blog post ...

Originally posted at InSecurity Complex

McAfee releases new security suite for Macs

By Lance Whitney

Updated 1:45am PST Tuesday with pricing information.

McAfee has released a new security suite designed to help businesses better handle security for their growing segment of Macintosh computers.

Targeting small to large companies, McAfee Endpoint Protection for Mac provides antivirus and antispyware features, ...

Barracuda snags Purewire in Web security play

By Elinor Mills

Security appliance maker Barracuda Networks has acquired Purewire, a Web security-as-a-service provider, the companies were set to announce on Tuesday.

The acquisition gives Barracuda the SaaS offering, but also adds to its security researcher and threat detection capabilities, the company said.

The companies did not disclose terms of the deal. ...

Originally posted at InSecurity Complex

CounterMeasures

Rik Ferguson blogs about security issues.

Searching for news of Kanye West’s Death leads to malware

By Rik Ferguson on web

Demonstrating the speed with with criminals now captialise on internet memes, criminals are using the strength of a prank/rumour to push malware. A rumour started this morning that Kanye West had been killed in a “bizarre car accident”, the origin of this rumour has apparently been traced back to the 4chan message boards (although that blog posting appears [...]

More cybercrime as a service.

By Rik Ferguson on web

Yet more proof, if any were needed, of the firmly established underground criminal economy in the form of Scanning-as-a-Service. Illicit competition for Virustotal has appeared in the form of a Russian website offering automated malware scanning-as-a-service to help their malware continue to fly under the radar of pattern-based detection. Virustotal is an award-winning, entirely legitimate service that [...]

Darknet%20-%20Hacking,%20Cracking%20%26%20Computer%20Security

Darknet - The Darkside

Ethical Hacking, Penetration Testing & Computer Security

Retarded E-mails – Credit Cards, Coins, Bombs & More!

By Darknet on spammers

Ah it’s that time of the year again when all the back to skoolers have some mad l33t knowledge and wanna h4×0r the planet or something. Hmmm website hacking, sounds simple eh? thriller wrote: hai i would like to know website hacking how?……… sedn to my mail Ok I’m following up up to the exploding part? Not quite...
Read the full post at darknet.org.uk

Origami – Parse, Analyze & Forge PDF Documents

By Darknet on pdf security

origami is a Ruby framework designed to parse, analyze, and forge PDF documents. This is NOT a PDF rendering library. It aims at providing a scripting tool to generate and analyze malicious PDF files. As well, it can be used to create on-the-fly customized PDFs, or to inject (evil) code into already existing documents. Features Create PDF [...]
Read the full post at darknet.org.uk

Firefox Blocks Microsoft .NET Framework Assistant Add-on

By Darknet on windows presentation foundation

This is an interesting development, I noticed the pop-up on my Firefox yesterday. The reason however wasn’t security it was ‘instability’. It’s a fair move by Mozilla though as the add-on can cause security vulnerabilities in Firefox outside of their control. They can’t fix the software, so the best thing they can do...
Read the full post at darknet.org.uk

Naptha – TCP State Exhaustion Vulnerability & Tool

By Darknet on tcp security

The Naptha vulnerabilities are a type of denial-of-service vulnerabilities researched and documented by Bob Keyes of BindView’s RAZOR Security Team in 2000. The vulnerabilities exist in some implementations of the TCP protocol, specifically in the way some TCP implementations keep track of the state of TCP connections, and allow an attacker...
Read the full post at darknet.org.uk

Deep Packet Inspection Engine Goes Open Source

By Darknet on packet inspection

This is great news, especially for open source tool developers. Deep packet inspection is an extremely niche area and requires great expertise (and a lot of R&D of course). I hope a new project can spawn from this, it has many interesting applications. I think it’d be a good addition to Wireshark and IDS projects like [...]
Read the full post at darknet.org.uk

VIPER Lab’s VAST Live Distro – VoIP Security Testing LiveCD

By Darknet on voip-security-testing

VAST is a VIPER Lab live distribution that contains VIPER developed tools such as UCsniff, VoipHopper, Videojak, videosnarf, ACE, Warvox, and more. Along with VIPER tools and other essential VoIP security tools, it also contains tools penetration testers utilize such as Metasploit, Nmap, Netcat, Hydra, Hping2 etc. This distribution is a work in...
Read the full post at darknet.org.uk

UK Government To Launch ‘Hack Idol’

By Darknet on uk hacking contest

Now this should be interesting, perhaps they should turn it into a hacking based reality TV show? From the description though it looks more centered around defense than offense and perhaps should be called ‘System Administrator Idol’. Not quite so catchy though is it. Well at least they doing something to try and nurture talent in the...
Read the full post at darknet.org.uk

DarkReading - All Stories

DarkReading

DHS Secretary Says Cabinet-Level IT Position Unnecessary

cybersecurity, DHS, Homeland Security, Janet Napolitano, Obama, President Obama, cyber czar

Botnet Unleashes Variety Of New Phishing Attacks

Attackers use phony messages of system upgrades, Outlook updates, and Microsoft Conficker 'cleanup tool,' to spread malware

Security Software's New Form Factor: Free

Emerging security vendors take markets by storm by offering free versions of their software

Integrating WAFs And Vulnerability Scanners

Sharing vulnerability scanning data with a WAF could expedite process of shielding Web apps from newly discovered vulnerabilities, but also open the door for false positives

DIY: Defending Against A DDoS Attack

Proactive self-defense can make DDoS attacks less painful and damaging

Cost, Strength Of Security Drive Users Toward SaaS Offerings

New Dark Reading report offers a look at the strengths, weaknesses of security software-as-a-service offerings -- and how to choose the right provider

Patch Tuesday Is Microsoft's Biggest Ever

Microsoft issues 13 security bulletins disclosing 34 Windows vulnerabilities

Enterprises Continue To Struggle With Vulnerability Management

New Dark Reading report offers a look at how to find -- and fix -- security flaws in enterprise infrastructure

Five Ways To Meet Compliance In A Virtualized Environment

RSA, VMware unite security compliance and virtualization in new best practices guidelines

DarkReading - Security News

DarkReading

Verizon Business to Help Strengthen Network Security for NATO

Perimeter E-Security Launches Archive Manager to Address Federal Email Compliance and Maintain Business Operations During a Disaster

Online Sales of E Cigarettes Expected to Rise Over the Holidays

Suspect Detection Systems Inc. Sells Additional Cogito Interrogation Units to Federal Agency in Latin America

eWeek Security Watch

Diving Deep on Fake AV

In Spam

Phony AV programs that attempt to infect end users with malware have become an industry unto themselves, according to a new research report from Symantec.

Spam Uses Conficker Fear to Push Malware

In Virus and Spyware

Spammers are using a fake alert about the Conficker worm to scare users into downloading malware.

Password Strength Needs a Boost

In Privacy

Weak passwords continue to plague organizations, according to new research from academia.

Bad Actors Largely Unchecked in Cybercrime Efforts

In Virus and Spyware

Cybercriminals aren't slowing down as law enforcement and Web regulators have failed to find ways to stop them, experts observe.

Hot Spam: Targeted Phishing, Brand-Jacking

In Trojan attacks

Targeted spam and non-phishing brand abuse lead the way in this month's spam report published by McAfee's AVERT Labs.

USAF Report: Cyber War Not Under Radar

In Virus and Spyware

Governement-funded researchers are calling for greater consideration to be given to cyber-war, but not in terms of immediate investment.

Google Provides Malware Info to Webmasters to Improve Security

In Malware

Google has added a new feature to Webmaster Tools to provide more detailed information about malicious content it detects on the sites in its massive search index.

Federal Computer Week: Security News

Senate passes DHS IT funding increase

The Senate has passed legislation to fund the Homeland Security Department that has increases for major information technology programs. The House also approved the measure.

Federal student aid data isn't secure, IG says

The Education Department's student aid program risks unauthorized data loss or access problems if the department doesn't improve its information security, a new report says.

Napolitano asks public's help with cybersecurity

Homeland Security Secretary Napolitano said today cybersecurity is a shared responsibility and urged private persons to get involved.

Secret Service plans IT reboot

The Secret Service seeks information from companies as it prepares to modernize its information technology infrastructure.

SSA needs more planning for data systems upgrades, GAO says

The SSA is exchanging data more than one billion times a year and needs to do more to prepare for an increasing data exchange caseload, the GAO says.

Army cooks up new technology in AKO lab

A new test lab for the Army Knowledge Online and Defense Knowledge Online (AKO/DKO) Web portal gives service officials a safe and efficient way to test new applications and technologies for the site.

What you can do on AKO

Here are some of the features on the Army Knowledge Online and Defense Knowledge Online (AKO/DKO) Web portals.

Finding common cause

The global terrorist threat, brought to U.S. soil on 9/11, has not gone away. And it now includes the ever looming war in cyberspace.

Spam-borne malware surged in September

Spam messages that contained malicious attachments hit a high of 4.5 percent last month, a ninefold increase over the amount sent in August.

NASA info security controls are broken, GAO concludes

A GAO study found that an incomplete information security program has left weaknesses in NASA networks and information systems that could leave it open to disruption or penetration. But the space agency says improvements in security controls are being made.

Cyber warfare: Sound the alarm or move ahead in stride?

Military leaders and analysts say evolving cyber threats, which some believe could produce a "digital Hurricane Katrina," will require the Defense Department to work more closely with experts in industry.

Some key events in the history of cyber warfare

Track the timeline of significant cybersecurity attacks.

DHS agencies don't sustain info security programs, IG says

The Homeland Security Department's agencies must improve execution of the department's information security policies on a year-round basis, procedures and practices, DHS' inspector general said.

DHS would get more IT dollars under unified funding measure

A Senate-House committee wants to give the Homeland Security Department more money for several large information technology programs in fiscal 2010.

Leaders commended for contributions to info security

The sixth annual 2009 Government Information Security Leadership Awards were given by (ISC)2, an association that certifies information security professionals.

IRS wins some, loses a few in fight against identity theft and data loss

The IRS recorded more than 51,000 cases of taxpayer identity theft in 2008 and paid out $15 million in fraudulent refunds, and a GAO report finds that internal information security weaknesses constitute some of the most significant challenges faced by the agency.

Lawmaker urges Obama to appoint cybersecurity coordinator

President Barack Obama should quickly appoint a cybersecurity coordinator to ensure computer defense efforts are coordinated, a House member who oversees cybersecurity programs said today.

Info Security News

Carries news items (generally from mainstream sources) that relate to security.

Time Warner Cable Exposes 65, 000 Customer Routers to Remote Hacks

Posted by InfoSec News on Oct 22

http://www.wired.com/threatlevel/2009/10/time-warner-cable/
By Kim Zetter
Threat Level
Wired.com
October 20, 2009
A vulnerability in a Time Warner cable modem and Wi-Fi router deployed
to 65,000 customers would allow a hacker to remotely access the device's
administrative menu over the internet, and potentially change the
settings to intercept traffic, according to a blogger who discovered the
issue.
Time Warner acknowledged the problem...

Nonprofit Air Force Association recruits youth for cyber war games

Posted by InfoSec News on Oct 21

http://www.thedailytell.com/2009/10/nonprofit-air-force-association-recruits-youth-for-cyber-war-games/
By John Zorabedian
The Daily Tell
October 19, 2009
The nonprofit Air Force Association announced that 200 high schools from
44 states in the U.S., South Korea and Japan will participate in the
largest high school cyber defense competition ever staged starting
November 7.
Called CyberPatriot II, the war games are a way to promote careers...

What Did The Moon Scientist Want To Tell The Israelis? Some Clues

Posted by InfoSec News on Oct 21

http://politics.theatlantic.com/2009/10/what_did_the_moon_scientist_spy_tell_the_israelis_some_clues.php
Politics
Edited by Marc Ambinder
The Atlantic
Oct 19 2009
There's nothing like a good, diverting spy scandal. The FBI today
arrested an eminent space scientist, Stewart David Nozette, and charged
him with espionage. He allegedly agreed to sell information about
American nuclear weapons to an operative of Israel's Mossad -- only the...

DHS Secretary Says Cabinet-Level IT Position Unnecessary

Posted by InfoSec News on Oct 21

http://www.darkreading.com/security/government/showArticle.jhtml?articleID=220700409
By Kelly Jackson Higgins
DarkReading
Oct 20, 2009
The secretary of the Department of Homeland Security (DHS) today
basically dismissed the concept of a cabinet-level IT position for
technology and cybersecurity, noting that IT networks and services
underlie most operations today.
DHS Secretary Janet Napolitano delivered an unprecedented Web address
this...

ChoicePoint to pay $275,000 in latest data breach

Posted by InfoSec News on Oct 21

http://news.cnet.com/8301-27080_3-10379722-245.html
By Elinor Mills
InSecurity Complex
CNet News
October 20, 2009
ChoicePoint, one of the nation's largest data brokers, has been fined
$275,000 by the U.S. Federal Trade Commission for a data breach that
exposed personal information of 13,750 people last year.
In April 2008, ChoicePoint turned off a key electronic security tool
that it used to monitor access to one of its databases and failed...

NSA Director Tapped For Cyber Command

Posted by InfoSec News on Oct 21

http://www.informationweek.com/news/government/security/showArticle.jhtml?articleID=220700278
By J. Nicholas Hoover
InformationWeek
October 20, 2009
President Obama has, as expected, nominated National Security Agency
director Lt. Gen. Keith Alexander to be promoted to the rank of general
and assigned as commander of the new United States Cyber Command.
The Cyber Command, announced this summer, will be in charge of
cyberwarfare and the...

Top US scientist accused of trying to spy for Israel (fwd)

Posted by InfoSec News on Oct 20

http://www.telegraph.co.uk/news/worldnews/northamerica/usa/6380288/Top-US-scientist-accused-of-trying-to-spy-for-Israel.html
By Toby Harnden in Washington
Telegraph
19 Oct 2009
Stewart Nozette, 52, developed an experiment that fuelled the discovery
of water on the south pole of the moon, and held a special security
clearance at the United States Department of Energy on atomic materials.
He has been charged with .attempted espionage for...

Part 2: Q&A with Jeff Moss on computer hacking

Posted by InfoSec News on Oct 20

http://news.cnet.com/8301-27080_3-10377162-245.html
By Elinor Mills
InSecurity Complex
CNet News
October 19, 2009
Like many young hackers, Jeff Moss got his start copying computer games,
learned how to program, and began to explore the world through a modem.
Unlike many young hackers, Moss has managed to turn his computer and
social-networking skills into a business. He founded Defcon, the first
major hacker conference and the largest in...

Classified Info on Dangerous Chemicals Hacked

Posted by InfoSec News on Oct 20

http://www.koreatimes.co.kr/www/news/nation/2009/10/113_53708.html
The Korea Times
10-17-2009
Hackers stole classified information on dangerous chemicals in their
raid on the South Korean army computer network in what was believed to
be an attack by North Korea, Yonhap News Agency reported Saturday,
quoting government officials.
The Chemicals Accident Response Information System, used by 589 South
Korean government agencies including fire...

VoIP hack suspect fugitive extradited back to US

Posted by InfoSec News on Oct 20

http://www.theregister.co.uk/2009/10/19/hack_extradition/
By John Leyden
The Register
19th October 2009
A Venezuelan hacking suspect arrested in Mexico last February on
computer hacking and fraud charges faces a court appearance in New
Jersey on Tuesday, following his extradition to the US last week.
Edwin Pena, 26, a former Miami resident, fled from US justice in August
2006 two months after he was bailed on charges of hacking into phone...

Medical Records: Stored in the Cloud, Sold on the Open Market

Posted by InfoSec News on Oct 20

http://www.wired.com/threatlevel/2009/10/medicalrecords/
By Kim Zetter
Threat Level
Wired.com
October 19, 2009
When patients visit a physician or hospital, they know that anyone
involved in providing their health care can lawfully see their medical
records.
But unknown to patients, an increasing number of outside vendors that
manage electronic health records also have access to that data, and are
reselling the information as a commodity....

Botnet Unleashes Variety Of New Phishing Attacks

Posted by InfoSec News on Oct 20

http://www.darkreading.com/security/vulnerabilities/showArticle.jhtml?articleID=220700200
By Kelly Jackson Higgins
DarkReading
Oct 19, 2009
The massive Zbot botnet that spreads the treacherous Zeus banking Trojan
has been launching a wave of relatively convincing phishing attacks
during the past few days -- the most recent of which is a phony warning
of a mass Conficker infection from Microsoft that comes with a free
"cleanup...

NASA info security controls are broken, GAO concludes

Posted by InfoSec News on Oct 19

http://gcn.com/articles/2009/10/16/nasa-info-security-controls-broken.aspx
By William Jackson
GCN.com
Oct 16, 2009
Key information technology systems at NASA have weaknesses in several
critical areas that could lead to those systems being compromised,
according to the Government Accountability Office.
Although controls are being implemented as part of a risk-based
information security program, required under the Federal Information...

Ex-Ford Engineer Indicted For Allegedly Stealing Company Secrets

Posted by InfoSec News on Oct 19

http://www.darkreading.com/insiderthreat/security/attacks/showArticle.jhtml?articleID=220601211
By Kelly Jackson Higgins
DarkReading
Oct 16, 2009
Yet another major corporation may have been the victim of one of its own
stealing trade secrets: A former Ford Motor engineer has been indicted
for allegedly stealing thousands of sensitive documents from the company
and copying them onto a USB drive before taking a job with another auto
company....

38 Oracle security patches coming next week

Posted by InfoSec News on Oct 19

http://www.computerworld.com/s/article/9139500/38_Oracle_security_patches_coming_next_week?taxonomyId=17
By Robert McMillan
October 16, 2009
IDG News Service
After a record-setting week of Microsoft and Adobe security patches,
Oracle is gearing up for a major update of its own next week.
Next Tuesday, the database vendor will release its quarterly Critical
Patch Update, which "contains 38 security vulnerability fixes across
hundreds...

Q&A: Defcon's Jeff Moss on cybersecurity, government's role

Posted by InfoSec News on Oct 19

http://news.cnet.com/8301-27080_3-10376447-245.html
By Elinor Mills
InSecurity Complex
CNet News
October 16, 2009
As a hacker and organizer of Defcon, at event at which computer security
vulnerabilities and exploits are routinely unveiled, Jeff Moss seemed an
unusual choice when he was named to the Homeland Security Advisory
Council in June.
But his background and lack of government experience brings a fresh,
outsider's perspective to a...

PayChoice Suffers Another Data Breach

Posted by InfoSec News on Oct 18

http://voices.washingtonpost.com/securityfix/2009/10/paychoice_suffers_another_data.html
By Brian Krebs
Security Fix
The Washington Post
October 15, 2009
Payroll services provider PayChoice took its Web-based service offline
for the second time in a month on Wednesday in response to yet another
data breach caused by hackers.
Moorestown, N.J. based PayChoice, provides direct payroll processing
services and licenses its online employee...

CanSecWest 2010 CALL FOR PAPERS (deadline Nov 30, conf. Mar 22-26) and PacSec (Nov 4/5) Selections

Posted by InfoSec News on Oct 18

Forwarded from: Dragos Ruiu <dr (at) kyx.net>
We extend our apologies if you are inconvenienced by multiple copies of
this messages.
We would like to announce the PacSec 2009 Paper Selections, and the
opening of the 2010 CanSecWest Call For Papers. Given the proximity of
the Winter Olympics in Vancouver one month before the conference, we
would advise all planning to attend to make travel preparations well in
advance for next year......

Linux Advisory Watch - October 16th 2009

Posted by InfoSec News on Oct 18

+----------------------------------------------------------------------+
| LinuxSecurity.com Weekly Newsletter |
| October 16th, 2009 Volume 10, Number 42 |
| |
| Editorial Team: Dave Wreski <dwreski () linuxsecurity com> |
| Benjamin D. Thomas <bthomas () linuxsecurity...

Secretary to address Cybersecurity on Tuesday

Posted by InfoSec News on Oct 18

Forwarded from: Jeff Moss <jmoss (at) blackhat.com>
"Tuesday, October 20 2009, 11:00 a.m. EDT, Secretary Napolitano will
deliver a live webcast address about the urgent need to counter the
threat of cyber attacks, and the shared responsibility in staying safe
online. Visit www.dhs.gov on Tuesday to watch this live address.
Increasing the general public's awareness about computer and online
risks is a critical part of...

Home sec puts McKinnon extradition on hold

Posted by InfoSec News on Oct 18

http://www.theregister.co.uk/2009/10/18/mckinnon_delay/
By Team Register
The Register
18th October 2009
The Home Office has agreed to a delay in extradition proceedings for
Pentagon hacker Gary McKinnon while Home Secretary Alan Johnson and
government lawyers reconsider evidence in the case.
Washington has been demanding McKinnon go on trial in the US for
breaking into Pentagon computer systems back in 2002. He has never
denied tapping...