Aurora Report: November 2009

Zero Day

Tracking the hackers

Exploit published for critical IE 7 zero-day flaw

By Ryan Naraine on Responsible disclosure

The vulnerability could be used in malware attacks to take complete control of a Windows machine running IE 6 or IE 7.

Inside the Google Chrome OS security model

By Ryan Naraine on iPhone

Google will use a combination of system hardening, process isolation, verified boot, secure auto-update and encryption that thwart malicious hackers from attacking its new Google Chrome OS.

Microsoft finds security hole in Google Chrome Frame

By Ryan Naraine on Patch Watch

A security researcher in the Microsoft Vulnerability Research (MSVR) has discovered a "high risk" Google Chrome Frame security vulnerability that could allow an attacker to bypass cross-origin protections.

Mozilla locks out rogue Firefox add-ons

By Ryan Naraine on Vulnerability research

Mozilla has made a significant tweak to this Firefox 3.6 code base to block rogue add-ons from loading in the browser's application components directory.

Yahoo! News: Security News

Security News

Key scientist says politics behind stolen e-mails (AP)

In science

AP - A leading climate change scientist said hackers breaking into a university's computer server and then posting documents online show the nasty politics of global warming.

Mich. spammer gets 4 years in stock fraud scheme (AP)

In business

AP - A federal judge has sentenced a suburban Detroit man described as one of the world's most prolific senders of spam e-mail to more than four years in prison for his role in a 2005 stock fraud scheme that netted him $2.7 million.

Hong Kong man, three others jailed for spam scheme (AFP)

In technology

AFP - A Hong Kong resident and three other men, including the self-proclaimed "Godfather of Spam," were sentenced to prison on Monday for their roles in an email stock fraud scheme, the Justice Department said.

"Jail broken" iPhones hacked by new virus (Reuters)

In technology

Reuters - Hackers have built a virus that attacks Apple Inc's iPhone by secretly taking control of the devices via their Internet connections, security experts said.

New Worm Steals Data From Jailbroken iPhones (NewsFactor)

In business

NewsFactor - Just two weeks after Apple iPhone users in Australia reported jailbroken iPhones came under siege by attackers, a new version of the iPhone worm is posing a threat. Symantec reports the new worm targets jailbroken iPhones running SSH that are still using the default password. The worm can reportedly steal data stored on the iPhone as well as connect back to the attacker, giving them control of the phone.

Third iPhone worm targets jailbroken iPhones in Europe, Australia (Macworld.com)

In technology

Macworld.com - Another week, another worm hitting jailbroken iPhones. As with the previous exploits, which Rickrolled your phone's wallpaper and stole your data, this nasty piece of work burrows its way into your jailbroken device if you haven't changed the password for the iPhone's root account-you have changed your root password, right? Right?

Facebook Worm Sells Itself with a Booty Call (PC Magazine)

In technology

PC Magazine - A new Facebook worm appeared over the weekend, pairing malware with a sexy come-on. NSFW warning: racy image inside.

New Attack Fells Internet Explorer (PC World)

In technology

PC World - A hacker has posted attack code that could be used to break into a PC running older versions of Microsoft's Internet Explorer browser.

Security Pro Says New SSL Attack Can Hit Many Sites (PC World)

In technology

PC World - A Seattle computer security consultant says he's developed a new way to exploit a recently disclosed bug in the SSL protocol, used to secure communications on the Internet. The attack, while difficult to execute, could give attackers a very powerful phishing attack.

Trends & Innovations - Thursday (Investor's Business Daily)

In business

Investor's Business Daily - Hackers are increasingly targeting law firms and public relations companies with e-mail schemes that break into PC networks to steal data linked to their big corporate clients. For law firms in particular, the FBI has issued an advisory that warns of "noticeable increases" in efforts to hack into such firms' PC systems. The trend began 2 years ago but has grown dramatically, experts say. Hackers often target law firms that are negotiating a major int'l deal, anything from seeking a patent on a sensitive new technology to opening a plant in another country.

UK police make 2 Trojan computer virus arrests (AP)

In technology

AP - A couple suspected of helping spread some of the Internet's most aggressive computer viruses has been arrested in the English city of Manchester, police said Wednesday.

Police make "trojan" virus arrests (Reuters)

In technology

Reuters - Detectives have made the first arrests in Europe to tackle a "trojan" computer virus which is believed to have infected tens of thousands of computers across the world, London police said on Wednesday.

UK Police Reveal Arrests Over Zeus Banking Malware (PC World)

In technology

PC World - British police said Wednesday they've made the first arrests in Europe of two people for using Zeus, a sophisticated malicious software program that can scoop up any sensitive information on a PC.

Fortinet shares price at $12.50 each ahead of IPO (AP)

In business

AP - Shares of Fortinet Inc. priced higher than expected at $12.50 each ahead of the computer security company's planned initial public offering Wednesday.

Computer Security Challenged By Web 2.0 'Endpoint' Growth (Investor's Business Daily)

In business

Investor's Business Daily - It also makes computer security problems. Research out this week shows how companies may be letting tech security slip as they rush to do more tasks online, under greater budget pressures.

WindowSecurity.com

WindowSecurity.com provides Windows security news, articles, tutorials, software listings and reviews for information security professionals.

VIDEO: Securing Windows 7 desktops with AppLocker

By (Derek Melber)

This video explains of the process of securing Windows 7 desktops using AppLocker utility.

TaoSecurity

Richard Bejtlich's blog on digital security and the practices of network security monitoring, incident response, and forensics.

Control "Monitoring" is Not Threat Monitoring

By Richard Bejtlich

As I write this post I'm reminded of General Hayden's advice:
"Cyber" is difficult to understand, so be charitable with those who don't understand it, as well as those who claim "expertise."
It's important to remember that plenty of people are trying to act in a positive manner to defend important assets, so in that spirit I offer the following commentary.
Thanks to John Bambanek's SANS post I read NIST Drafts Cybersecurity Guidance by InformationWeek's J. Nicholas Hoover.
The article discusses the latest draft of SP 800-37 Rev. 1:
DRAFT Guide for Applying the Risk Management Framework to Federal Information Systems: A Security Life Cycle Approach.
I suspected this to be problematic given NIST's historical bias towards "controls," which I've criticized in Controls Are Not the Solution to Our Problem and Consensus Audit Guidelines Are Still Controls. The subtext for the article was:
The National Institute for Standards and Technology is urging the government to continuously monitor its own cybersecurity efforts.
As soon as I read that, I knew that NIST's definition of "monitor" and the article's definition of "monitor" did not mean the real sort of monitoring, threat monitoring, that would make a difference against modern adversaries.
The article continues:
Special Publication 800-37 fleshes out six steps federal agencies should take to tackle cybersecurity: categorization, selection of controls, implementation, assessment, authorization, and continuous monitoring...
Finally, and perhaps most significantly, the document advises federal agencies to put continuous monitoring in place. Software, firmware, hardware, operations, and threats change constantly. Within that flux, security needs to be managed in a structured way, Ross says.
"We need to recognize that we work in a very dynamic operational environment," Ross says. "That allows us to have an ongoing and continuing acceptance and understanding of risk, and that ongoing determination may change our thinking on whether current controls are sufficient."
The continuous risk management step might include use of automated configuration scanning tools, vulnerability scanning, and intrusion detection systems, as well as putting in place processes to monitor and update security guidance and assessments of system security requirements.
Note that the preceding text mentions "intrusion detection systems," but the rest of the text has nothing to do with real monitoring, i.e., detecting and responding to intrusions. I'm not just talking about network-centric approaches, by the way -- infrastructure, host, log, and other sources are all real monitoring, but this is not what NIST means by "monitoring."
To understand NIST's view of monitoring, try reading the new draft. I'll insert my comments.
APPENDIX G
CONTINUOUS MONITORING
MANAGING AND TRACKING THE SECURITY STATE OF INFORMATION SYSTEMS
A critical aspect of managing risk from information systems involves the continuous monitoring of the security controls employed within or inherited by the system.65
[65 A continuous monitoring program within an organization involves a different set of activities than Security Incident Monitoring or Security Event Monitoring programs.]
So, it sounds like activities that involve actually watching systems are not within scope for "continuous monitoring."
Conducting a thorough point-in-time assessment of the deployed security controls is a necessary but not sufficient condition to demonstrate security due diligence. An effective organizational information security program also includes a rigorous continuous monitoring program integrated into the system development life cycle. The objective of the continuous monitoring program is to determine if the set of deployed security controls continue to be effective over time in light of the inevitable changes that occur.
That sounds ok so far. I like the idea of evaluations to determine if controls are effective over time. In the next section below we get to the heart of the problem, and why I wrote this post.
An effective organization-wide continuous monitoring program includes:
• Configuration management and control processes for organizational information systems;
• Security impact analyses on actual or proposed changes to organizational information systems and environments of operation;67
• Assessment of selected security controls (including system-specific, hybrid, and common controls) based on the organization-defined continuous monitoring strategy;68
• Security status reporting to appropriate organizational officials;69 and
• Active involvement by authorizing officials in the ongoing management of information system-related security risks.
Ok, where is threat monitoring? I see configuration management, "control processes," reporting status to "officials," "active involvement by authorizing officials," and so on.
The next section tells me what NIST really considers to be "monitoring":
Priority for security control monitoring is given to the controls that have the reatest volatility and the controls that have been identified in the organization’s plan of action and milestones...
[S]ecurity policies and procedures in a particular organization may not be likely to change from one year to the next...
Security controls identified in the plan of action and milestones are also a priority in the continuous monitoring process, due to the fact that these controls have been deemed to be ineffective to some degree.
Organizations also consider specific threat information including known attack vectors (i.e., specific vulnerabilities exploited by threat sources) when selecting the set of security controls to monitor and the frequency of such monitoring...
Have you broken the code yet? Security control monitoring is a compliance activity. Granted, this is an improvement from the typical certification and accreditation debacle, where "security" is assessed via paperwork exercises every three years. Instead, .gov compliance teams will perform so-called "continuous monitoring," meaning more regular checks to see if systems are in compliance.
Is this really an improvement?
I don't think so. NIST is missing the point. Their approach advocates Control-compliant security, not field-assessed security. Their "scoreboard" is the result of a compliance audit, not the number of systems under adversary control or the amount of data exfiltrated or degraded by the adversary.
I don't care how well your defensive "controls" are informed by offense. If you don't have a Computer Incident Response Team performing continuous threat monitoring for detection and response, you don't know if your controls are working. The NIST document has a few hints about the right approach, at best, but the majority of the so-called "monitoring" guidance is another compliance activity.

Audio of Bejtlich Presentation on Network Security Monitoring

By Richard Bejtlich

One of the presentations I delivered at the Information Security Summit last month discussed Network Security Monitoring. The Security Justice guys recorded audio of the presentation and posted it here as Network Security Monitoring and Incident Response. The audio file is InfoSec2009_RichardBejtlich.mp3.

Traffic Talk 8 Posted

By Richard Bejtlich

I just noticed that my 8th edition of Traffic Talk, titled How to use user-agent strings as a network monitoring tool, was posted this week. It's a simple concept that plenty of NSM practitioners implement, and I highly recommend it.

SecurityFocus News

SecurityFocus is the most comprehensive and trusted source of security information on the Internet. We are a vendor-neutral site that provides objective, timely and comprehensive security information to all members of the security community, from end users, security hobbyists and network administrators to security consultants, IT Managers, CIOs and CSOs.

News: Major IE8 flaw makes 'safe' sites unsafe

Major IE8 flaw makes 'safe' sites unsafe
>> Advertisement <<
Can you answer the ERP quiz?
These 10 questions determine if your Enterprise RP rollout gets an A+.
http://www.findtechinfo.com/as/acs?pl=781&ca=909

Brief: Climatologists hot over e-mail hack

Climatologists hot over e-mail hack

Brief: Firms fail to secure mobile, cloud data

Firms fail to secure mobile, cloud data
>> Advertisement <<
Can you answer the ERP quiz?
These 10 questions determine if your Enterprise RP rollout gets an A+.
http://www.findtechinfo.com/as/acs?pl=781&ca=909

Brief: No cyberwar yet, but soon, says firm

No cyberwar yet, but soon, says firm
>> Advertisement <<
Can you answer the ERP quiz?
These 10 questions determine if your Enterprise RP rollout gets an A+.
http://www.findtechinfo.com/as/acs?pl=781&ca=909

Security Fix

Brian Krebs on computer and Internet security

Spam 'Godfather' gets 51 months in prison

In Cyber Justice

These past few days have seen some notable cyber justice cases: Late Monday, Alan M. Ralsky -- a man dubbed the "Godfather of Spam" -- was sentenced to 51 months in prison. And on Friday, a California man pleaded guilty in a case involving the sale of counterfeit high-tech computer parts to the U.S. military. Ralsky, 64, of West Bloomfield, Mich., joined two co-conspirators in earning stiff prison sentences for long careers of blasting junk e-mail. Following more than four years in prison, Ralsky will be subject to five years of supervised release and will forfeit $250,000 the government seized from him in December 2007, the Justice Department said. According to the government, Ralsky was a top promoter of so-called pump-and-dump scams, schemes in which fraudsters buy up a bunch of low-priced microcap stock, blast out millions of spam e-mails touting it as a hot buy and then dump their

New attack targets weakness in Internet Explorer

In Latest Warnings

Blueprints showing attackers how to exploit a previously unknown security hole in versions of Microsoft's Internet Explorer browser recently were published online. The danger here is if IE users browse to a hacked or booby-trapped Web site that uses the exploit, that site could install malicious software. Microsoft has not yet issued an advisory about this threat. According to initial reports from Symantec and vulnerability management firm VUPEN, the exploit works against IE 6 and IE 7 versions only. The vulnerability apparently resides in the way IE handles so-called cascading style sheet information (CSS), which a great many Web sites use to control the design and formatting of text and other site elements. Symantec reports that the attack code is a bit buggy and unreliable at the moment, but that a fully-functional and more reliable exploit almost certainly will be released soon. Symantec advises IE users is to make sure

Alpha Software disclosure leads to confusion

In From the Bunker

A few days ago, Security Fix heard from a reader who received a breach notification so casual in tone that he asked me to verify whether it was for real. Sure enough, Burlington, Mass.-based database application company Alpha Software Inc. recently told customers that a data breach had exposed their payment information. That fact was confirmed by similarly confused users posting to the company's online forum. The e-mail notice to affected customers reads: November 9, 2009 Dear Customer, We have been informed that there has been a security breach at the Internet Service Provider where our web site is hosted. This may have resulted in your credit card information being compromised. While it is entirely possible that your credit card information has not been stolen, in the interests of caution, we recommend that you contact your credit card provider to discuss what steps, if any, they recommend. Going forward, we

FDA targets rogue Internet pharmacies

In Web Fraud 2.0

The U.S. Food and Drug Administration is pressuring a number of Internet service providers to shut off nearly 12 dozen Web sites alleged to be selling counterfeit or unapproved prescription drugs. The FDA's office of criminal investigations said it sent 22 warning letters to the operators of the sites, and alerted the appropriate ISPs and domain name registrars that the sites were selling phony pharmaceuticals, all without requiring a prescription. The agency said none of the sites represent pharmacies located in the United States or Canada, as most claim. According to the letters sent to owners of the 136 targeted sites, the online stores hawked everything from powerful controlled substances, including Valium and Xanax, to lifestyle drugs like Viagra and Levitra. Some sites even offered prescription drugs that have not yet been approved for distribution or sale in the United States, such as the anti-obesity drug Acomplia. "Many U.S. consumers

Bill would ban P2P use on federal networks, PCs

In U.S. Government

The chairman of the House Oversight and Government Reform Committee introduced legislation on Tuesday to prohibit the use of peer-to-peer (P2P) file-sharing software across all federal government computers and networks. The "Secure Federal File Sharing Act" would direct the White House's Office of Management and Budget to issue guidelines barring the use and/or installation of P2P software on federal systems, unless otherwise approved for a specific purpose. The bill also calls on OMB to develop a policy that would extend to networks and computers operated by agency contractors, as well as to personal computers of federal employees remotely accessing federal networks. "We can no longer ignore the threat to sensitive government information that insecure peer-to-peer networks pose," said Rep. Edolphus Towns, the Democrat from New York who chairs the House oversight panel, in a statement. "Voluntary self-regulations have failed so now is the time for Congress to act." The bill

Experts: Smart grid poses privacy risks

In Latest Warnings

Technologists already are worried about the security implications of linking nearly all elements of the U.S. power grid to the public Internet. Now, privacy experts are warning that the so-called "smart grid" efforts could usher in a new class of concerns, as utilities begin collecting more granular data about consumers' daily power consumption. "The modernization of the grid will increase the level of personal information detail available as well as the instances of collection, use and disclosure of personal information," warns a report (PDF) jointly released Tuesday by the Ontario Information and Privacy Commissioner and the Future of Privacy Forum (FPF), a think tank made up of chief privacy officers, advocates and academics. Smart grid technology -- including new "smart meters" being attached to businesses and homes -- is designed in part to provide consumers with real-time feedback on power consumption patterns and levels. But as these systems begin to

Security - RSS Feeds

Microsoft Confirms Internet Explorer Zero-Day Vulnerability

Microsoft confirms the existence of proof-of-concept attack code for a flaw affecting Internet Explorer 6 and 7.
- Microsoft has confirmed the existence of a zero-day bug in Internet Explorer 6 and 7. Proof-of-concept attack code for the flaw was posted Nov. 20 to the Bugtraq mailing list. The flaw is tied to the way IE uses CSS (Cascading Style Sheets) information. According to Microsoft, the company ...

Check Point Acquires FaceTime Database for Application Controls

Check Point Software Technologies acquires FaceTime Communications' application classification and signature database. The technology will appear in a new software blade sometime in 2010.
- Check Point Software Technologies has acquired FaceTime Communications' application classification and signature database to quot;add security controls for over 50,000 Web 2.0 widgets and more than 4,500 Internet applications, quot; Check Point announced Nov. 23. The acquisition, made for an un...

Symantec Spots Worm Targeting Jailbroken Apple iPhones

Updated: Symantec uncovers a new worm targeting jailbroken iPhones. Unlike the Ikee worm that appeared earlier in November, this worm can be used to steal data.
- Researchers at Symantec have uncovered another worm aimed at jailbroken iPhones. Like the well-publicized Ikee worm, the recently discovered malware targets jailbroken iPhones running SSH (Secure Shell) and using the default password of quot;alpine. quot; However, unlike Ikee, which merely cha...

Older Microsoft Internet Explorer Vulnerable to Security Flaw

Researchers at Symantec say exploit code for a zero-day security vulnerability has been uncovered in Internet Explorer 6 and 7.
- Proof-of-concept code for an attack targeting old versions of Microsoft Internet Explorer has made its way online. According to Symantec, someone posted the code Nov. 20 to the Bugtraq mailing list. The code targets a flaw tied to how Internet Explorer (IE) uses cascading style sheet ( CSS) inf...

A Security Wish List for Microsoft Internet Explorer 9

Microsoft unveiled some details about Internet Explorer 9 this week at the Professional Developers Conference in Los Angeles. But what does Microsoft have in store for IE users from a security perspective?
- Microsoft unveiled an embryonic version of Internet Explorer 9 at its Professional Developers Conference ( PDC ) this week, touching off a round of speculation of what the browser would entail feature-wise. From a security perspective, Microsoft has sought to make strides with each version of Int...

Three Charged in Comcast Cyber-Attack

Three men were charged by federal indictment Nov. 19 in connection with attacking Comcast.net and redirecting traffic to sites under their control. The group altered Comcast's DNS records and is estimated to have cost the company more than $128,000.
- Three men have been charged by federal authorities for redirecting traffic for Comcast.net last year to sites under the trios control. According to the FBI, Christopher Allen Lewis, 19, of Newark, Del., Michael Paul Nebel, 27, of Kalamazoo, Mich., and 20-year-old James Robert Black Jr. o...

Microsoft Uncovers Vulnerability in Google Chrome Plug-in for IE

Microsoft uncovers a vulnerability in a controversial Google plug-in for Internet Explorer that could be exploited to bypass cross-origin protections. Google patched the issue this week in an update.
- Microsoft researchers uncovered a flaw in the Google Chrome Frame plug-in for users of Internet Explorer. According to Google, which patched the problem Nov. 18 with an update, the vulnerability could be exploited to bypass cross-origin protections. The plug-in which injects Google Chromes ren...

Google Chrome OS Security Model Breaks the Traditional Mold

With Chrome OS, Google says it has abandoned the traditional operating system security model and put its focus on using process isolation, verified boot, encryption and system hardening to protect users.
- Google previewed Chrome OS Nov. 19 and opened up about how its security strategy deviates from the traditional model for securing today's operating systems. In a presentation, Google painted a picture of a slim operating system that uses a combination of sandboxing, encryption of user data...

Up Close and Technical look at SocialPet

SocialPet, a new product from Jetmetric, lets administrators send fake phishing e-mails to selected employees to determine which ones know enough to ignore the messages and which dont - posing a threat to company security.
- Video Content....

10 Lessons Google Must Learn About OS Security

News Analysis: Google is new to the operating system market, so it has to demonstrate that it understands how to build and maintain a secure Web OS. The history of Windows security has shown there are many avenues of attack against a desktop operating system. There are even more potential attack strategies for an online OS. But whether Google has learned the many hard lessons of Web security is very much in doubt at this point.
- Much has been made of Google's intentions in the operating system space. The company has made it clear that it wants its products to be used on netbooks. It wants to be the first major company to deliver an online operating system that can compete with the likes of Windows 7 Starter Edition and ...

T-Mobile Confirms U.K. Data Breach

T-Mobile confirmed that an employee at its U.K. subsidiary passed customer data to third-party brokers, potentially leading to a criminal prosecution. Despite the potential damage to customers lives, such a data breach is most likely punishable with a fine as opposed to jail time in the U.K. T-Mobile has been dealing with public-relations issues on both ends of the Atlantic, including an incident in which a massive server failure led to Sidekick smartphone users in the U.S. temporarily losing their personal data.
- T-Mobile confirmed that an employee had passed along customer data to third-party brokers in the U.K., an incident that could lead to criminal prosecution. Given that the defendants likely face a potential fine but no jail time, a number of British commentators have been suggesting that penalties...

Firefox 3.6 Beta Blocks Third-Party Add-ons from Components Directory

Mozilla updates its Firefox 3.6 beta to block add-ons from adding code to Firefox's components directory. The move is meant to reduce crashes and will keep vendors from silently installing Firefox add-ons without permission from the user, Mozilla says.
- Mozilla has added an extra wall in Firefox 3.6 to block third-party add-ons from loading in the browser's application components directory. The change prevents third-party applications from adding code to Firefox's components directory which houses much of Firefox's own code and will thereby k...

U.K. Police Arrest Two Tied to Zeus Trojan

Police in the U.K. arrested two people tied to the Zeus Trojan, a notorious piece of malware used to steal banking information and another personal data such as passwords for sites like Facebook.
- Authorities in the U.K.have reportedly arrested two people in connection with using a notorious Trojan in a scheme to steal online banking information. The man and the woman, both 20, were arrested by the Metropolitan Police Service in Manchesterfor violating the 1990 Computer Misuse Act a...

Cyber-war Could Threaten Security of Critical Infrastructure

In a new report released by McAfee, several noted security experts discuss the improving cyber-warfare capabilities of the world's superpowers and the risks facing critical infrastructures.
- The ability of several countries to launch politically motivated cyber-attacks has increased and put critical infrastructure in the crosshairs, according to a sweeping report from McAfee. In its fifth annual Virtual Criminology Report (PDF), McAfee noted that not only have politically motiva...

Security

Latest jailbroken iPhone worm tries filching bank passwords

By jacqui@arstechnica.com (Jacqui Cheng) on worm

The second malicious worm to attack jailbroken iPhones has been spotted in the wild, and is the first to directly target users' bank accounts. Called iBotnet.A by security research firm Intego, the worm tries to steal account logins from customers of popular online banking service ING Direct. Though it only affects iPhones that have been jailbroken by the user with SSH installed, this is clearly a trend that is growing quickly—and one that Apple isn't likely to care about until it affects "legit" users.

According to Intego, the malware scans for phones on a local network and a range of IPs with an open SSH port, then attempts to log in using the default root password that is the same on all iPhones. This is the same method used by the first malicious iPhone worm that came out earlier this month. The IPs scanned by this particular worm include those in the Netherlands, Portugal, Hungary, and Australia.

Google Chrome Frame patches Microsoft-reported security bug

By emil.protalinski@arstechnica.com (Emil Protalinski) on internetexplorer

This week, Google released an update to Google Chrome Frame. Version 4.0.245.1 is available and all users should be updated automatically, according to Google Chrome Releases. The release fixes issues where the plugin would not follow redirects properly, where network requests would fail randomly, and where it would freeze IE8 intermittently. What really caught our eye though, was the security fix that's included in the release, and especially who gets the credit for finding it:

Smart grids drag utilities into the swamp of online privacy

By jtimmer@arstechnica.com (John Timmer) on smartgrid

The smart grid is rapidly becoming a reality in the US, as utilities have been installing networked monitoring and control equipment, both in their own facilities and in their customers' homes. The pace of these installations should accelerate due to recent initiatives from the Department of Energy and the state of California; across the border, the Province of Ontario will see smart meters installed in every home by the end of next year. Ontario's Information and Privacy Commissioner has now worked with members of the Future of Privacy Forum to analyze the privacy implications of these initiatives. The resulting report indicates that there are a variety of potential privacy concerns, some of which are best addressed before the deployments begin in earnest.

Nearly half of the report simply reviews what the smart grid entails, specifically from the consumer perspective. In general terms, a smart meter, combined with smart appliances and other hardware, will allow consumers to obtain fine-grained information about their energy use patterns, and exercise a greater degree of control over them. As the report notes, this can have a wide variety of positive consequences, from more efficient use of energy resources to lowered electric bills. So the general message is that concerns about privacy shouldn't derail plans to deploy smart grids.

SecuriTeam

Welcome to the SecuriTeam RSS Feed - sponsored by Beyond Security. Know Your Vulnerabilities! Visit BeyondSecurity.com for your web site, network and code security audit and scanning needs.

McAfee Network Security Manager Cross-Site Scripting (XSS) Vulnerability

McAfee Network Security Manager is vulnerable to cross-site scripting (XSS) caused by improper validation of user-supplied inputv.

Gimp BMP Image Parsing Integer Overflow Vulnerability

Gimp has a BMP Image Parsing Integer Overflow vulnerability which can be exploited by malicious people to potentially compromise a user's system.

Cisco Catalyst Blade Switch 3020/3120 DoS Vulnerability

A potential vulnerability has been identified with the Cisco Catalyst Blade Switch 3020/3021. The vulnerability could be exploited remotely to create a Denial of Service (DoS).

RhinoSoft Serv-U TEA Decoding Buffer Overflow

Serv-U can be exploited by malicious people to potentially compromise a vulnerable system.

Norton Alteon OS Browser-Based Interface XSS and XSRF Vulnerabilities

Browser-Based Interface (BBI) software is included in the Nortel Networks version 25.0.0.0 and prior and the Radware family of switches. The BBI software lets you use your Web browser to access switch information and statistics and perform switch configuration via the Internet. These vulnerabilities could allow attackers to change the switch configuration.

Avast aswRdr.sys Kernel Pool Corruption and Local Privilege Escalation

Avast's aswRdr.sys Driver does not sanitize user supplied input IOCTL) and this lead to Kernel Heap Overflow that propagates on the system with a BSOD and potential risk of Privilege Escalation.

HP-UX Running BIND DoS

A potential security vulnerability has been identified with HP-UX running BIND. The vulnerability could be exploited remotely to create a Denial of Service (DoS).

Gimp PSD Image Parsing Integer Overflow Vulnerability

Gimp can be exploited by malicious people to potentially compromise a user's system.

HP Power Manager Execution of Arbitrary Code

A potential security vulnerability has been identified with HP Power Manager. The vulnerability could be exploited remotely to execute arbitrary codev.

HP DDMI Execution of Arbitrary Code

A potential security vulnerability has been identified with HP Discovery & Dependency Mapping Inventory (DDMI) running on Windows. The vulnerability could be exploited remotely by an authorized user to execute arbitrary code.

WordPress Unrestricted File Upload Arbitrary PHP Code Execution

Wordpress allows authorised users to add an attachment to a blog post. It does not sanitize provided file properly before moving it to an uploads directory.

SearchSecurity: Security Wire Daily News

The latest information security news on IT threats, vulnerabilities and market trends from the award-winning SearchSecurity.com.

Exploit code targets Internet Explorer zero-day display flaw

By Robert Westervelt

Exploit code is publically available targeting an Internet Explorer cascading style sheet (CSS) handling error, according to Symantec.

Increase in Gumblar backdoors poses FTP credential problems

By Robert Westervelt

Security Researcher explains how to detect the Trojan, but many victimized website owners don't have the technical expertise to fix the problem.

Hackers to sharpen malware, malicious software in 2010

By Robert Westervelt

Symantec researchers predict an increase in attacks using social network architectures, third-party applications and URL shortening services.

Health Net healthcare data breach affects1.5 million

By Robert Westervelt

A lost hard drive contained seven years of patient data including Social Security numbers and medical records of more than a million Health Net customers.

Massive T-Mobile UK security breach involves insiders

By Robert Westervelt

A UK agency suspects insiders are behind a massive data breach at T-Mobile UK where customer data was pilfered and sold to competitors.

InZero Systems launches hardware-based security gateway

By Robert Westervelt

New InZero gateway uses hardware to halt malware by separating the endpoint from the network and isolating desktop software.

SANS%20RSS%20Feed

SANS NewsBites

All Stories From Vol: 11 - Issue: 92

House Science & Technology Committee Passes Cybersecurity Enhancement Act (November 19, 2009)

The US House Committee on Science and Technology has passed the Cybersecurity Enhancement Act of 2009, which "is based on the concept that in order to improve the security of our networked systems .......

NSA Helping to Harden Operating Systems (November 7, 18 & 19, 2009)

In testimony before the Senate Subcommittee on Terrorism and Homeland Security, National Security Agency (NSA) information assurance director Richard Schaeffer said that his agency helped Microsoft harden Windows 7 and that it is also helping Apple, Sun Microsystems, and Red Hat with similar endeavors.......

Proposed Legislation Prohibits P2P Use in Government and Contractor Computers (November 17 & 18, 2009)

A bill introduced in the US House of Representatives would prohibit the use of peer-to-peer (P2P) filesharing technology in government computers and those used by government contractors except in cases where its use has been officially approved.......

Lost Hard Drive Holds Seven Years of Health Net Patient Data (November 19, 2009)

A hard drive containing personal and medical information of 1.......

Three Charged in Comcast Redirect Attack (November 19, 2009)

Three men have been charged in connection with a redirection attack on Comcast's website.......

One Year Prison Sentence for Scientology DDoS (November 18 & 19, 2009)

A 19-year old man from New Jersey has been sentenced to one year in federal prison for his role in a distributed denial-of-service DDoS attack against the Church of Scientology website that took place in January 2008.......

Banks Reissuing Credit Cards Following Report of Breach at Spanish Payment Company (November 18 & 19, 2009)

A German bank has recalled 60,000 credit cards after learning that the card numbers may have been compromised in a security breach at a Spanish payment company.......

Secondhand ATMs Pose Security Risk (November 18, 2009)

A security consultant who purchased an ATM secondhand through Craigslist found that it still held a log of hundreds of transaction details.......

UK Police Charge Two in Connection With Zeus Trojan (November 18, 2009)

Police in the UK have charged two people in connection with using the Zeus Trojan horse program.......

T-Mobile Customer Records Stolen and Sold (November 17 & 18, 2009)

T-Mobile has acknowledged that an employee stole customer records and sold them to data brokers who in turn sold the information to T-Mobile competitors.......

Microsoft Suit Involving Former Employee Settled, All Matters Resolved (November 17, 2009)

A settlement has been reached in a case brought by Microsoft against former employee Miki Mullor.......

Man Pleads Guilty in ATM Skimming Case (November 16 & 17, 2009)

Victor Vasile Constantin has pleaded guilty to charges of bank fraud and identity theft for his role in an ATM skimming scheme.......

SANS%20Internet%20Storm%20Center,%20InfoCON%3A%20green

SANS Internet Storm Center, InfoCON: green

Microsoft Security Advisory 977981 - IE 6 and IE 7 , (Tue, Nov 24th)

Related to Marc's Diary from 11/23, Microsoft has released Security Advisory 977981. It detail ...(more)...

New Nmap Beta Released, (Mon, Nov 23rd)

Earlier today, Fyodor announced the release of a new beta of Nmap. Nmap 5 ...(more)...

Government Approaches to Cybersecurity - What are your tips?, (Mon, Nov 23rd)

On the heels of a recent Govenment Accounting Office (GAO) finding that many USfederal agencie ...(more)...

IE6 and IE7 0-Day Reported, (Sun, Nov 22nd)

According to VUPEN security: A vulnerability has been identified in Microsoft Internet Explorer, w ...(more)...

What is making you vulnerable?, (Sat, Nov 21st)

The VMware patch mentioned in the oneliner raises an interesting question. What is making you ...(more)...

VMware vCenter and ESX updates available http://lists.vmware.com/pipermail/security-announce/2009/000070.html , (Sat, Nov 21st)

...(more)...

PHP 5.3.1 is released. With many of the websites on the net relying on PHP and the number of attacks we see, consider upgrading. This release has over 100 bug fixes, some of which are security related., (Fri, Nov 20th)

...(more)...

Fedora to allow the installation of packages, without root privileges? , (Thu, Nov 19th)

A bug created back in November against the latest Fedora release (12) indicates that, th ...(more)...

Using a Cisco Router as a "Remote Collector" for tcpdump or Wireshark, (Wed, Nov 18th)

Have you ever thought about your routers. I mean - *really* thought about them? They thi ...(more)...

The Register - Security

Biting the hand that feeds IT

Facebookers hit with steamy clickjacking exploit

'Click da button, baby!'

Facebook administrators have blocked a clickjacking exploit that displayed images of a scantily clad woman on profile pages without first prompting the user for permission.…

IE bug leaks private details from 50 million PDF files

Black hat recon courtesy of Microsoft

A bug in Microsoft's Internet Explorer browser is causing more than 50 million files stored online to leak potentially sensitive information that could compromise user privacy, a security researcher said.…

Google hoodwinked into pushing Chrome OS scareware

Tamper tantrum

Rogue anti-virus scammers have tainted search results for Chromium OS - the open source version of Google's Chrome OS - in a bid to expose surfers hunting the web operating system to a fake anti-virus scan scam instead.…

Cisco pumps out iPhone security app

World of IT threats in your pants

Cisco has pushed out a new iPhone app that helps IT managers respond to newly-detected security threats by the seat (pocket) of their pants.…

Symantec Japan website bamboozled by hacker

Plaintext passwords revealed

A Symantec-run website was vulnerable to Blind SQL Injection problems that reportedly exposes a wealth of potentially sensitive information.…

iPhone worm hjacks ING customers

No messing this time

Updated The second worm to infect jailbroken iPhone users reportedly targets customers of Dutch online bank ING Direct.…

First malicious iPhone worm slithers into wild

Jailbreakers under assault

A Dutch internet service provider has identified a worm that installs a backdoor on jailbroken iPhones and makes them part of a botnet.…

FDA takes aim at illegal net pharmacies

Please don't feed the spammers

The US Food and Drug Administration said it has completed a sweep of illegal online pharmacies that targeted 136 websites that appeared to be illegally selling drugs to American consumers.…

Hackers free Snow Leopard from Jobsian cage

Apple Atomness restored

Snow Leopard users are once again free to run the Apple operating system on hardware with Atom processors, courtesy of hackers in Russia.…

Potty-mouths charged for Comcast hijack

Destination '69 dick tard lane'

The potty-mouthed hackers who hijacked Comcast's domain name for several hours last year were charged with intentionally damaging a protected computer system.…

Wrecking CRU: hackers cause massive climate data breach

Secretive scientists' source code goes walkabout

The University of East Anglia has confirmed that a data breach has put a large quantity of emails and other documents from staff at its Climate Research Unit online. CRU is one of the three leading climate research centres in the UK, and a globally acknowledged authority on temperature reconstructions.…

QinetiQ mail virus patent attracts barbs

Looks a bit familiar

An anti-virus expert has poured cold water on a patent from British technology firm QinetiQ that supposedly offers a new technique for tackling malicious email attachments.…

MS discovers flaw in Google plug-in for IE

Google whacked

Microsoft has helped discover a flaw in the Google Chome Frame plug-in for Internet Explorer users.…

Major IE8 flaw makes 'safe' sites unsafe

Microsoft's XSS buster busted

Exclusive The latest version of Microsoft's Internet Explorer browser contains a bug that can enable serious security attacks against websites that are otherwise safe.…

Users howl as Fedora 12 gives root to unwashed masses

Breaks Unix 'zero-assumption' trust model

UpdatedThis story was updated about 11 hours after it was published to reflect that Fedora developers have reversed course. Operating system users once again will be required to enter a root password before installing software packages.…

Scareware tool dumps smut on Windows PCs

Rogue clean-up tool poses child abuse frame risk

Rogue anti-virus slingers are getting even sneakier. Instead of offering to clean up non-existent malware threats as per the traditional approach, one rogue scanner offers to clean up images of porn it claims to have found on a prospective mark's PC.…

Spanish payment breach prompts huge German card recall

Holidaymakers at risk of fraud

German authorities have recalled more than 100,000 credit cards over fears that crooks may have obtained details of the cards via an unnamed Spanish payment processing firm.…

ISA report reveals email security lapse

Safeguarders slightly slipshod on safeguards

The Independent Safeguarding Authority's first annual report reveals that it sent an email with confidential data to the wrong address.…

Palin claims webmail hack disrupted GOP campaign

Yes, that was the problem, Sarah

Sarah Palin has described the hack of her webmail account as the "most disruptive" event in her campaign to become US vice president last year.…

The Register's threat predictions for 2010

What lurks in the New Year?

Webcast Find out what threats lie in wait for your business throughout 2010 and how to avoid them, with this free to view audio slideshow from The Register, in association with MessageLabs.…

Crypto pioneer and security chief exits Sun

One in the PKI?

Crypto pioneer and Sun Microsystems' veteran chief security officer Whitfield Diffie has left the company, with database-giant Oracle's acquisition still in the air.…

National Security Agency beefed Win 7 defenses

Now for Apple, Sun, and Red Hat

The National Security Agency helped Microsoft harden Windows 7 against attacks and is providing similar assistance to Apple, Sun Microsystems and Red Hat too, an agency official said.…

Stalker video peepholed ESPN bombshell

'Erin Andrews Naked Butt'

A Chicago man who stalked ESPN reporter Erin Andrews across the United States managed to secretly videotape America's sexiest sportscaster in the nude twice, federal prosecutors said Wednesday.…

Second-hand ATM trade opens up fraud risk

Craigslist cash machine contains 1,000 card numbers

Second-hand ATM machines containing sensitive transaction data are easily available for purchase on eBay or even Craiglist, according to an investigation by a US-based security consultant.…

UK cybercops cuff ZeuS Trojan suspect pair

Alleged Bonnie and Clyde of malware

A Manchester couple have been arrested on suspicion of using the notorious ZeuS Trojan horse to commit banking fraud.…

Facebook revises privacy policy

Plain English update

Facebook has published a simpler, easier to understand privacy policy which removes complicated technical and legal terms in the previous document without changing much of substance.…

Fortinet launches rare net security IPO

Roll-up, roll-up

Fortinet has set a price of $12.50 a share for its initial public offering on Wednesday. If all goes to plan, the security appliance firm and its investors stand to rake in a more than $156m through the offer.…

Man charged in $111k domain name theft

eBayed to basketball pro

A New Jersey man has been charged with stealing the p2p.com domain name and selling it to a professional basketball player for more than $111,000 in the first US indictment for domain name theft.…

Network World on Security

The latest security news, analysis, reviews and feature articles from NetworkWorld.com.

Spyware Doctor With Antivirus: First Look

Shortly after we completed our current antivirus roundup, PC Tools released Spyware Doctor with AntiVirus 2010 ($40 for a one-year, three-PC license), the latest version of its paid antivirus tool. Though it came out too late for us to include in our malware detection testing, we were able to take the program for a quick spin.

Microsoft issues security advisory on IE vulnerability

Microsoft Monday night issued a security advisory that provides customers with guidance and workarounds for dealing with a zero-day exploit aimed at Internet Explorer.

Hacks of Chinese temple were online kung fu, abbot says

A hacker who posted a fake message on the Web site of China's famous Shaolin Temple repenting for its commercial activities was just making a mean joke, the temple's abbot was cited as saying by Chinese state media Monday.

11 Security Tips for Black Friday, Cyber Monday

This holiday shopping season, IT and physical security practitioners have the tough task of protecting customer data and preventing shoplifting. Here are 11 tips to bring sanity to the process.

New iPhone worm steals online banking codes, builds botnet

Hackers have borrowed a tactic from the world's first iPhone worm to build a botnet that steals data, including online banking credentials, from jailbroken Apple smartphones.

Five ways to lose your identity (and wallet) this holiday season

Computerworld offers tips to holiday shoppers looking to expose their personal data to online thieves.

Google Chrome OS: Big Brother Google Gets Bigger

Google's mantra is "Don't be evil." Let's hope it the tech giant means it, because if Chrome OS succeeds in replacing Windows at the world's dominant operating system, Google's sway over the computing world could be exponentially higher than it is today.

Third iPhone worm targets jailbroken iPhones

Another week, another worm hitting jailbroken iPhones. As with the previous exploits, which Rickrolled your phone's wallpaper and stole your data, this nasty piece of work burrows its way into your jailbroken device if you haven't changed the password for the iPhone's root account--you have changed your root password, right? Right?

Information security and business strategy Part 1

I've known David Greer for over 25 years and have always enjoyed his intelligence, good humor and creativity. And Stephen Northcutt is so widely published, cited and respected in our field that I had trouble deciding which of his many Web sites to cite. It is a great pleasure to publish Greer's interview of Nortcutt in two parts.

New attack fells Internet Explorer

A hacker has posted attack code that could be used to break into a PC running older versions of Microsoft's Internet Explorer browser.

Global warming research exposed after hack

An anonymous hacker has posted private e-mails, files and other documents belonging to a noted climate researcher, sparking an international debate between skeptics of global warming and those who see it as an urgent problem.

Gartner lays out Top 10 strategic technologies

At this week's Gartner Symposium in Sydney, the analyst firm presented its top 10 strategic technologies for 2010.

Google Chrome OS: Everything You Need to Know

Google finally unveiled its Chrome operating system, promising a cloud-based OS that will be fast, simple and secure on netbooks. CIO.com's Shane O'Neill rounds up the latest Chrome OS reviews and news analysis stories.

Two approaches to NFC battle for French hearts and mobiles

Two competing approaches to equipping mobile phones with contactless communications capabilities vied for supporters at the Cartes exhibition in Paris this week. Either approach could turn phones into self-service electronic tour guides, travel tickets or secure payment terminals.

Banks on watch after suspected card breach

An apparent data breach in Spain has caused Visa and MasterCard to warn banks of possible fraudulent credit card transactions.

EU security agency highlights cloud computing risks

Cloud computing users face problems including loss of control over data, difficulties proving compliance, and additional legal risks as data moves from one legal jurisdiction to another, according to a assessement of cloud computing risks from the European Network and Information Security Agency (ENISA).

Cisco's free iPhone app grabs security feeds

Cisco has made available a free iPhone app that can be used to receive over a dozen security-related information feeds in customizable form related both to Cisco products and to general security topics, such as newly detected threats.

Three indicted for Comcast hack last year

Three hackers have been indicted for redirecting the Comcast.net Web site to a page of their own making in 2008.

Security pro says new SSL attack can hit many sites

A Seattle computer security consultant says he's developed a new way to exploit a recently disclosed bug in the SSL protocol, used to secure communications on the Internet. The attack, while difficult to execute, could give attackers a very powerful phishing attack.

Businesses slow to adapt to changing security environment

Businesses are slow to adapt to the changing security environment, according to a major report.

Track your stolen laptop for free with Prey

If you're not worried about this when you're out in public with your laptop, you should be: What if someone steals your computer -- and its precious data that comprises your digital personal and work life?

Fake Payment Request Attack Ramps Up

A currently underway attack is attempting to trick victims with an e-mail that purports to request a verification for payment to a major company, but instead carries a Trojan.

Most security products flunk test on basic use: ICSA Labs

Almost 80 per cent of security products failed to pass the first test required before certification, according to the latest report released by ICSA Labs.

More vigilance needed as social networking rises: F-Secure

Security solutions firm F-Secure Malaysia says greater vigilance is needed as the use of social networking is gathering pace compared to e-mail.

Microsoft denies it built 'backdoor' in Windows 7

Microsoft today denied that it has built a backdoor into Windows 7, a concern that surfaced on Wednesday after a senior National Security Agency (NSA) official testified before Congress that the agency had worked on the operating system.

Cyberattacks on U.S. military jump sharply in 2009

Cyberattacks on the U.S. Department of Defense -- many of them coming from China -- have jumped sharply in 2009, a U.S. congressional committee reported Thursday.

Hackers exploit release of Twilight New Moon film

Hackers are exploiting the web users searching for information about the Twilight New Moon film, due to be released this week, in a bid to spread malware, says PC Tools.

3 Basic Steps to Avoid Joining a Botnet

It's getting more difficult to keep employees stay safe and free from malicious activity online. But Team Cymru's Steve Santorelli presents a combination of techniques that can make their chances of infection much lower.

FAA fixes computer glitch, delays remain

The Federal Aviation Administration says that it has fixed a computer glitch responsible for flight delays across the United States, although it says that possible flight delays may still be in the cards.

Security vendor Fortinet sparkles in IPO

Shares of security vendor Fortinet surged 33 percent Wednesday as the company made its debut on the public markets.

Pentagon expands exclusive deal with McAfee

The U.S. Defense Department is expanding its exclusive arrangement with McAfee, whose security software is at the heart of the military's cybersecurity efforts.

T-Mobile Customers Suffer Data Breach

T-Mobile is again giving its customers -- and prospective customers -- reason to be nervous.

BlackBerry Security Exec Warns of Smartphone DDoS Attacks

BlackBerry and smartphone security in general hasn't garnered much attention or concern over the past few years--at least from a consumer, or user, perspective; enterprises have been invested in mobile device security since the advent of the PDA.

China defense ministry site fends off hackers

The Web site of China's defense ministry was attacked 2.3 million times in its first month online, Chinese state media said Wednesday.

Fake Facebook page steals login details

A fake Facebook page which is designed to steal social networkers login details has been uncovered by PandaLabs.

The Mass. 201 CMR 17 Survival Guide

As companies scramble to meet the requirements of the Bay State's data security law, CSOonline.com offers this collection of articles and podcasts to help IT security practitioners and compliance officers find the best approach.

Two thirds of Brits to shop online for Christmas

Nearly two thirds of Brits (68 percent) are planning on buying at least half of their gifts online this Christmas, says Webroot.

UK police reveal arrests over Zeus banking malware

British police said Wednesday they've made the first arrests in Europe of two people for using Zeus, a sophisticated malicious software program that can scoop up any sensitive information on a PC.

Risk Assessment Framework Helps Bank Secure Apps

With about a million customers, ICICI Bank manages close to Rs 50,000 crore (US$10.8 billion) in assets. A lot of that money is processed by about 550 bank applications that both its customers and about 10,000 of the bank's employees use. However, it was not always clear how open to vulnerabilities these applications were. It was not a state of affairs, the bank wanted to continue. "The bank wanted a high level of assurance for all its applications," says Pravir Vohra, Group CTO, ICICI Bank, "Within 18 months."

How Jindal Poly Films Fought Internet Threats

A part of the Rs 3,000-crore (US$650 million) B.C. Jindal Group, the 25-year-old Jindal Polyfilm is the largest manufacturer of PET film and BOPP films in the country with revenues of Rs 2,000 crore.

Heartland CEO: Encryption on track despite dispute

In a conversation with Computerworld today, Heartland CEO and Chairman Robert Carr blasted VeriFone's lawsuit and its suggestion that Heartland is incapable of supporting VeriFone customers.

How to hack China for just $1,800

Fraudsters may have a hot deal waiting for them in the form of an obscure Chinese domain name that's for sale on the Internet.

Firefox 3.6 locks out rogue add-ons

Mozilla is adding a new lockdown feature to Firefox 3.6 that will prevent developers from sneaking add-ons into the program, the company said.

Smartphones on Wi-Fi vulnerable to security attack

A new report from a mobile security vendor details how the most popular smartphones, including the iPhone, are very vulnerable to man-in-the-middle attacks, carried out via public Wi-Fi connections.

The six greatest threats to US cybersecurity

It’s not a very good day when a security report concludes: Disruptive cyber activities expected to become the norm in future political and military conflicts. But such was the case today as the Government Accountability Office today took yet another critical look at the US federal security systems and found most of them lacking.

InSecurity Complex

Keeping tabs on flaws, fixes, and the people behind them.

Microsoft warns of IE exploit code in the wild

By Elinor Mills

Company says it is investigating a publicly published exploit code that allegedly could lead to computers running versions 6 or 7 of the browser getting compromised.

Chrome OS security: 'Sandboxing' and auto updates

By Elinor Mills

Google operating system will feature many of the same security features as the Chrome browser, including "sandboxing" of applications, auto updating, and antiphishing.

Fortified rice, fuel cells among Tech Award winners

By Elinor Mills

Al Gore receives humanitarian honor at Tech Museum event that provides prizes to projects in the areas of environment, health, biosciences economic development, equality, and education.

Cisco launches iPhone security app

By Elinor Mills

Cisco Systems' new App Store entry, featuring customized alerts and threat information delivered to the handheld device, targets security professionals.

T-Mobile UK says workers sold customer data

By Elinor Mills

British consumer privacy commissioner says he will prosecute over sale of customer data by T-Mobile UK employees.

Info Security News

Carries news items (generally from mainstream sources) that relate to security.

Recent Air Force Law Review discusses Cyberlaw

Posted by InfoSec News on Nov 22

http://www.maxwell.af.mil/news/story.asp?id=123178704
By Carl Bergquist
Air University Public Affairs
11/20/2009
MAXWELL AIR FORCE BASE, Ala. -- Volume 64 of the Air Force Law Review is
now available in hardcopy and online. Published this year, it is
sub-titled the "Cyberlaw Edition."
Largely the result of a symposium held at the Judge Advocate General
School at Maxwell Air Force Base, the edition addresses many of the
issues...

Three Indicted For Comcast Site Hack

Posted by InfoSec News on Nov 22

http://www.darkreading.com/security/attacks/showArticle.jhtml?articleID=221900520
By Tim Wilson
DarkReading
Nov 20, 2009
Three alleged hackers this week were indicted for a 2008 attack that
redirected traffic from the Comcast Website to a prank page.
Christopher Allen Lewis, 19, and James Robert Black Jr., 20, are accused
of being the hackers "EBK" and "Defiant," who hijacked the Comcast
domain in May of last year,...

Hackers steal electronic data from top climate research center

Posted by InfoSec News on Nov 22

http://www.washingtonpost.com/wp-dyn/content/article/2009/11/20/AR2009112004093.html
By Juliet Eilperin
Washington Post Staff Writer
November 21, 2009
Hackers broke into the electronic files of one of the world's foremost
climate research centers this week and posted an array of e-mails in
which prominent scientists engaged in a blunt discussion of global
warming research and disparaged climate-change skeptics.
The skeptics have seized upon...

Secunia Weekly Summary - Issue: 2009-47

Posted by InfoSec News on Nov 22

========================================================================
The Secunia Weekly Advisory Summary
2009-11-13 - 2009-11-20
This week: 72 advisories
========================================================================
Table of Contents:
1.....................................................Word From...

China Cyber Espionage Threatens U.S., Report Says

Posted by InfoSec News on Nov 22

http://www.informationweek.com/news/government/security/showArticle.jhtml?articleID=221900505
By Thomas Claburn
InformationWeek
November 20, 2009
China has increased its cyber espionage efforts to acquire U.S. secrets
and technology, a Congressional advisory group warned in a report issued
on Thursday.
Echoing its 2008 and 2007 reports, which labeled China's espionage
efforts "the single greatest risk to the security of American...

FBI looking at UMC records leak

Posted by InfoSec News on Nov 22

http://www.lasvegassun.com/news/2009/nov/21/fbi-looking-umc-records-leak/
By Marshall Allen
The Las Vegas Sun
Nov. 21, 2009
The FBI said Friday it may investigate a breach of patient privacy laws
at University Medical Center, where hospital officials are reeling with
the realization that at least one of their employees has leaked
confidential names, birth dates and Social Security numbers.
UMC officials spent Friday determining how they...

Microsoft denies it built 'backdoor' in Windows 7

Posted by InfoSec News on Nov 20

http://www.computerworld.com/s/article/9141182/Microsoft_denies_it_built_backdoor_in_Windows_7
By Gregg Keizer
Computerworld
November 19, 2009
Microsoft today denied that it has built a backdoor into Windows 7, a
concern that surfaced yesterday after a senior National Security Agency
(NSA) official testified before Congress that the agency had worked on
the operating system.
"Microsoft has not and will not put 'backdoors' into...

Re: FBI Suspects Terrorists Are Exploring Cyber Attacks

Posted by InfoSec News on Nov 20

Forwarded from: Richard Forno <rforno (at) infowarrior.org>
The second paragraph undermines the whole article, as such statements
tend to do in all articles warning of cyber or terrorist attacks, just
as any number of 'stories' citing some new DHS or FBI terror threat that
suddenly hits the airwaves periodically during the year.
This entire article simply says -er, repeats- that "terrorists may
consider cyber attacks."...

Bill Would Ban P2P Use By Federal Employees

Posted by InfoSec News on Nov 20

http://www.informationweek.com/news/government/policy/showArticle.jhtml?articleID=221900107
By J. Nicholas Hoover
InformationWeek
November 18, 2009
Following a leaked document that disclosed ethics investigations of
members of Congress on a file sharing network, the chairman of the House
Oversight and Government Affairs Committee has introduced a bill that
would ban the use of public peer-to-peer networks by federal employees.
The Secure...

Crypto pioneer and security chief exits Sun

Posted by InfoSec News on Nov 20

http://www.theregister.co.uk/2009/11/19/diffie_leaves_sun/
By Gavin Clarke in San Francisco
The Register
19th November 2009
Crypto pioneer and Sun Microsystems' veteran chief security officer
Whitfield Diffie has left the company, with database-giant Oracle's
acquisition still in the air.
According to Technology Review, Diffie is slated to be a visiting
professor at Royal Holloway, University of London, after 18 years at
Sun, latterly in...

Palin Calls E-Mail Hack 'Most Disruptive' Campaign Event

Posted by InfoSec News on Nov 20

http://www.wired.com/threatlevel/2009/11/palin-hack-2
By Kim Zetter
Threat Level
Wired.com
November 18, 2009
Never mind the disastrous interview with Katie Couric or the blank
stares in response to Charlie Gibson's question about the Bush Doctrine.
Former vice presidential candidate Sarah Palin calls the hacking of her
Yahoo e-mail account "the most disruptive and discouraging" incident in
last year's presidential campaign....

The Perfect Holiday Gift For Any Security Pro: A Bruce Schneier Action Figure

Posted by InfoSec News on Nov 20

http://www.darkreading.com/security/management/showArticle.jhtml?articleID=221900184
By Tim Wilson
DarkReading
Nov 18, 2009
Move over, James Kirk and Luke Skywalker -- there's a new action figure
popping up on top of security professionals' computers -- and this one
is a real guy.
A miniature version of BT Counterpane security guru Bruce Schneier --
complete with beard and ponytail -- is now available from the That's My
Face site.
The...

FC 2010: Call for Posters. Accepted Papers.

Posted by InfoSec News on Nov 20

Forwarded from: Conference Mailer <noreply (at) moon.crypto.cs.stonybrook.edu>
Financial Cryptography and Data Security
Tenerife, Canary Islands, Spain
25-28 January 2010
http://fc10.ifca.ai
Dear Colleagues,
We would like to invite you to submit a poster (deadline extended to
December 3rd) and participate in the 2010 Financial Cryptography and
Data Security Conference, January 25-28, 2010 in Tenerife, Canary
Islands, Spain, a...