Zero Day
Tracking the hackers
How many people fall victim to phishing attacks?
By Dancho Danchev on Spam and Phishing
According to a recently released report, based on a sample of 3 million users collected over a period of 3 months, approximately 45% of the time, users submitted their login information to the phishing site they visited.
SpyPhone app harvests personal data from stock iPhones
By Ryan Naraine on iPhone
The iPhone app can snag geolocation data, passwords, address book entries and email account information, all using just the public API that Apple has made available to developers.
Critical Adobe Flash, Adobe Air patches on tap
By Ryan Naraine on Vulnerability research
The patches will be released alongside updates from Microsoft and will affect all platforms -- Windows, Mac OS X and Linux.
Patch Tuesday heads-up: MS to fix 'critical' IE, Office security holes
By Ryan Naraine on Vulnerability research
Microsoft plans to release six security bulletins next Tuesday (December 8, 2009) to fix security flaws affected IE, Microsoft Office and the Windows operating system.
Critical zero-day flaw found in Adobe Illustrator
By Ryan Naraine on Vulnerability research
Adobe's security response team is scrambling to deal with the release of exploit code for what appears to be a critical zero-day flaw in the Adobe Illustrator CS4 software product.
Cache poisoning vulnerability in ISC BIND 9
By Ryan Naraine on Vulnerability research
The vulnerability exists in the way BIND 9 handles recursive client queries that may cause additional records to be added to its cache.
Fake H1N1 (Swine Flu) alerts lead to malware
By Ryan Naraine on Viruses and Worms
The e-mail messages contain a link to a bogus Centers for Disease Control and Prevention site with prompts to create a user profile. During this process, a malware file gets planted on the user's machine.
Beware of rigged PDF files on BlackBerry
By Ryan Naraine on Vulnerability research
Hackers can use maliciously rigged PDF files to hack into corporate systems hosting the BlackBerry Attachment Service.
Koobface botnet enters the Xmas season
By Dancho Danchev on Web 2.0
The Koobface botnet enters the Xmas season with a new holiday-themed YouTube page. In between, the botnet masters are clearly experimenting with new features. Let's review some of them.
Exploit published for FreeBSD local root vulnerability
By Ryan Naraine on Pen testing
The FreeBSD security team has rushed out a temporary patch to cover a local root vulnerability that exposes users to code execution attacks.
Clientless SSL VPNs expose corporate users to attacks
By Ryan Naraine on Vulnerability research
This security problem, discussed since at least 2006, could let an attacker could use these devices to bypass authentication or conduct other web-based attacks.
New ransomware attack blocks Internet access
By Ryan Naraine on Viruses and Worms
Once a machine is infected, a message is posted in Russian demanding a ransom under the guise of activating the uFast Download Manager application.
Opera patches 'extremely severe' security hole
By Ryan Naraine on Responsible disclosure
Opera has shipped a new version of its browser to fix three security vulnerabilities, one rated "extremely severe."
Yahoo! News: Security News
Security News
Thanksgiving Webcam Promo Leads to Malware (PC World)
In technology
PC World - The US$10 webcam that Anna Giesman bought her daughter at Office Depot over the Thanksgiving weekend sounds like one of those deals that's too good to be true. And for her, it was.
New Study Calls for Cybersecurity Overhaul in U.S. (PC World)
In technology
PC World - The U.S. government and private businesses need to overhaul the way they look at cybersecurity, with the government offering businesses new incentives to fix security problems, the Internet Security Alliance said.
Hacker Hits Adobe Illustrator With New Attack (PC World)
In technology
PC World - Adobe Systems' security response team is scrambling to fix a newly disclosed bug in its Illustrator software, even as it readies another security patch for next week.
Online Privacy Campaign Site Kicks Off (PC World)
In technology
PC World - A new site dedicated to improving online privacy launched today with a tool for filing a complaint with the Federal Trade Commission, along with information about your privacy rights - or lack thereof.
Counterfeit software reports soar: Microsoft (AFP)
In technology
AFP - Reports of counterfeit software, much of it tainted with computer viruses, have doubled during the past two years, according to Microsoft.
Bad Avast Update Labels Many Files as Malware (PC Magazine)
In technology
PC Magazine - On Thursday night, ALWIL Software, the creators of the Avast! antivirus program, released a bad update the misidentified many programs as malware.
Malware Messes up India's Online Test for Business Schools (PC World)
In technology
PC World - The move by India's top business schools to take their CAT entrance test online turned embarrassing after malware-infected computers left a number of students unable to take the test.
Companies Expected To Increase Spending In Computer Security (Investor's Business Daily)
In business
Investor's Business Daily - Security vendors could benefit as companies loosen tech budgets tightened in the recession.
Cisco, Juniper gear vulnerable to hacking: U.S. govt (Reuters)
In technology
Reuters - The U.S. government has identified flaws in equipment from four companies, including Cisco Systems Inc , that hackers can exploit to break into corporate computer networks.
Fake Swine Flu Emails Lead to Real Malware Infection (PC World)
In technology
PC World - A new malware campaign uses faked e-mails that appear to inform of H1N1 vaccination programs from the Centers from Disease Control, but actually attempts to install the Zeus Trojan.
Restaurants Sue Vendors After Point-of-sale Hack (PC World)
In technology
PC World - When Keith Bond bought a computerized cash register system for his Broussard, Louisiana, restaurant, he thought he was modernizing his restaurant. Today, he believes he was unwittingly opening a back door for Romanian hackers who have now cost him more than US$50,000.
McAfee names eBay executive to board (AP)
In technology
AP - Antivirus software maker McAfee Inc. said Tuesday that it named eBay Inc.'s president of marketplaces, Lorrie Norrington, to its board.
Hackers spread virus with swine flu vaccine offer (Reuters)
In technology
Reuters - Hackers are spreading a vicious computer virus through spam email messages that urge recipients to visit a bogus website offering vaccinations to protect them against another virus -- the one that causes swine flu.
Secure Web shopping; US trails in worker benefits (AP)
In business
AP - ONLINE SHOPPING SAFETY: Whether businesses like it or not, online shopping is increasingly prevalent at work, surveys show, and comprise a growing chunk of American retailers' sales. So experts say businesses need to protect their computers from viruses, spam and other problems associated with e-commerce.
Northrop links to academics to boost cyber defense (Reuters)
In technology
Reuters - Northrop Grumman Corp unveiled Tuesday an industry-academic research group to tackle growing cyber threats to U.S. computer networks and to networked infrastructure.
China Warns About Return of Destructive Panda Virus (PC World)
In technology
PC World - A computer worm that China warned Internet users against is an updated version of the Panda Burning Incense virus, which infected millions of PCs in the country three years ago, according to McAfee.
Spam King Gets More Than Four Years Behind Bars (NewsFactor)
In business
NewsFactor - One of the world's most notorious spammers has reached the end of the road -- or at least a rest stop -- that could last for the next 51 months. Alan Ralsky, known as the spam king, was sentenced Tuesday to more than four years in prison by U.S. District Judge Marianne O. Battani in Detroit. In June, Ralsky pleaded guilty to conspiracy to commit wire fraud and mail fraud, and to violations of the CAN-SPAM Act.
Attacks Appear Imminent as IE Exploit Is Improved (PC World)
In technology
PC World - Hackers working on the open-source Metasploit project have spiffed up a zero-day attack on Microsoft's Internet Explorer, making it more reliable -- and more likely to be used by criminals.
Five Tips to Shop Black Friday and Cyber Monday Securely (PC World)
In technology
PC World - This Friday is Black Friday--officially kicking off the 2009 holiday shopping season. Online attackers and malware developers know how to capitalize on current events, and the rush to find great holiday bargains offers a prime opportunity to exploit eager shoppers. Here are five tips to help you shop online securely.
'Godfather of Spam' Ralsky Gets 51 Months in Prison (PC Magazine)
In technology
PC Magazine - Four men, including a 64-year-old Michigan resident known as the "Godfather of Spam," were sentenced to several years in prison Tuesday for conspiring to commit wire fraud, mail fraud, and violate federal anti-spam legislation.
Hacked Climate Change Emails Set Off Political Storm (NewsFactor)
In science
NewsFactor - Internet security and climate change had a surprising run-in last week, as thousands of emails from the University of East Anglia's Climate Research Unit wound up on climate-skeptic web sites. The University says it is cooperating with police and launching its own investigation into how the emails wound up online.
S.Korea halves ceiling on text messages to fight spam (AFP)
In technology
AFP - South Korean authorities on Wednesday halved the daily limit on text messages sent out by mobile phones as part of a campaign against spam, officials said.
'Godfather of Spam' Sentenced to Four Years in Prison (PC World)
In technology
PC World - One of the most notorious U.S.-based spammers was sentenced to more than four years in jail on Monday for a scheme that used spam to manipulate stock prices in order to make a profit.
WindowSecurity.com
WindowSecurity.com provides Windows security news, articles, tutorials, software listings and reviews for information security professionals.
Securing your Multi-Platform Network
By deb@shinder.net (Deb Shinder)
A guide to securing your multi-platform network.
Menlo Logic AccessPoint SSL VPN Software - Voted WindowSecurity.com Readers' Choice Award Winner - VPN Software
By info@WindowSecurity.com (The Editor)
Menlo Logic AccessPoint SSL VPN Software was selected the winner in the VPN Software category of the WindowSecurity.com Readers' Choice Awards. Astaro Security Gateway and Check Point VPN-1 Power were first runner-up and second runner-up respectively.
Endpoint Encryption - Is BitLocker Enough?
By rickym@trencor.net (Ricky M. Magalhaes)
The strengths and weaknesses of BitLocker and how seriously organizations need to take encryption.
TaoSecurity
Richard Bejtlich's blog on digital security and the practices of network security monitoring, incident response, and forensics.
Troubleshooting FreeBSD Wireless Problem
By Richard Bejtlich
My main personal workstation is a Thinkpad x60s. As I wrote in Triple-Boot Thinkpad x60s, I have Windows XP, Ubuntu Linux, and FreeBSD installed. However, I rarely use the FreeBSD side. I haven't run FreeBSD on the desktop for several years, but I like to keep FreeBSD on the laptop in case I encounter a situation on the road where I know how to solve a problem with FreeBSD but not Windows or Linux. (Yes I know about [insert favorite VM product here]. I use them. Sometimes there is no substitute for a bare-metal OS.)
When I first installed FreeBSD on the x60s (named "neely" here), the wireless NIC, an Intel(R) PRO/Wireless 3945ABG, was not supported on FreeBSD 6.2. So, I used a wireless bridge. That's how the situation stayed until I recently read M.C. Widerkrantz's FreeBSD 7.2 on the Lenovo Thinkpad X60s. It looked easy enough to get the wireless NIC running now that it was supported by the wpi driver. I had used freebsd-update to upgrade the 6.2 to 7.0, then 7.0 to 7.1, and finally 7.1 to 7.2. This is where the apparent madness began.
I couldn't find the if_wpi.ko or wpifw.ko kernel modules in /boot/kernel. However, on another system (named "r200a") which I believe had started life as a FreeBSD 7.0 box (but now also ran 7.2), I found both missing kernel modules. Taking a closer look, I simply counted the number of files on my laptop /boot/kernel and compared that list to the number of files on the other FreeBSD 7.2 system.
$ wc -l boot-kernel-neely.06dec09a.txt
545 boot-kernel-neely.06dec09a.txt
$ wc -l boot-kernel-r200a.06dec09a.txt
1135 boot-kernel-r200a.06dec09a.txt
Wow, that is a big difference. Apparently, the upgrade process from 6.2 to 7.x did not bring almost 600 files, now present on a system that started life running 7.x.
Since all I really cared about was getting wireless running on the laptop, I copied the missing kernel modules to /boot/kernel on the laptop. I added the following to /boot/loader.conf:
legal.intel_wpi.license_ack=1
if_wpi_load="YES"
After rebooting I was able to see the wpi0 device.
wpi0:
I think I will try upgrading the 7.2 system to 8.0 using freebsd-update, then compare the results to a third system that started life as 7.0, then upgraded from 7.2 to 8.0. If the /boot/kernel directories are still different, I might reinstall 8.0 on the laptop from media or the network.
Copyright 2003-2009 Richard Bejtlich and TaoSecurity (taosecurity.blogspot.com and www.taosecurity.com)
Let a Hundred Flowers Blossom
By Richard Bejtlich
I know many of us work in large, diverse organizations. The larger or more complex the organization, the more difficult it is to enforce uniform security countermeasures. The larger the population to be "secure," the more likely exceptions will bloom. Any standard tends to devolve to the least common denominator. There are some exceptions, such as FDCC, but I do not know how widespread that standard configuration is inside the government.
Beyond the difficulty of applying a uniform, worthwhile standard, we run into the diversity vs monoculture argument from 2005. I tend to side with the diversity point of view, because diversity tends to increase the cost borne by an intruder. In other words, it's cheaper to develop exploitation methods for a target who 1) has broadly similar, if not identical, systems and 2) publishes that standard so the intruder can test attacks prior to "game day."
At the end of the day, the focus on uniform standards is a manifestation of the battle between two schools of thought: Control-Compliant vs Field-Assessed Security. The control-compliant team believes that developing the "best standard," and then applying that standard everywhere, is the most important aspect of security. The field-assessed team (where I devote my effort) believes the result is more important than how you get there.
I am not opposed to developing standards, but I do think that the control-compliant school of thought is only half the battle -- and that controls occupy far more time and effort than they are worth. If the standard whithers in the face of battle, i.e., once field-assessed it is found to be lacking, then the standard is a failure. Compliance with a failed standard is worthless at that point.
However, I'd like to propose a variation of my original argument. What if you abandon uniform standards completely? What if you make the focus of the activity field-assessed instead of control-compliant, by conducting assessments of systems? In other words, let a hundred flowers blossom.
(If you don't appreciate the irony, do a little research and remember the sorts of threats that occupy much of the time of many this blog's readers!)
So what do I mean? Rather than making compliance with controls the focus of security activity, make assessment of the results the priority. Conduct blue and red team assessments of information assets to determine if they meet various resistance and (maybe) "survivability" metrics. In other words, we won't care how you manage to keep an intruder from exploiting your system, as long as it takes longer for a blue or red assesor with time X and skill level Y and initial access level Z (or something to that effect).
In such a world, there's plenty of room for the person who wants to run Plan 9 without anti-virus, the person who runs FreeBSD with no graphical display or Web browser, the person who runs another "nonstandard" platform or system -- as long as their system defies the field assessment conducted by the blue and red teams. (Please note the one "standard" I would apply to all assets is that they 1) do no harm to other assets and 2) do not break any laws by running illegal or unlicensed software.)
If a "hundred flowers" is too radical, maybe consider 10. Too tough to manage all that? Guess what -- you are likely managing it already. So-called "unmanaged" assets are everywhere. You probably already have 1000 variations, never mind 100. Maybe it's time to make the system's inability to survive against blue and red teams the measure of failure, not whether the system is "compliant" with a standard, the measure of failure?
Now, I'm sure there is likely to be a high degree of correlation between "unmanaged" and vulnerable in many organizations. There's probably also a moderate degree of correlation between "exceptional" (as in, this box is too "special" to be considered "managed") and vulnerable. In other instances, the exceptional systems may be impervious to all but the most dedicated intruders. In any case, accepting that diversity is a fact of life on modern networks, and deciding to test the resistance level of those assets, might be more productive than seeking to develop and apply uniform standards.
What do you think?
Copyright 2003-2009 Richard Bejtlich and TaoSecurity (taosecurity.blogspot.com and www.taosecurity.com)
Real Security Is Threat-Centric
By Richard Bejtlich
Apparently there's been a wave of house burglaries in a nearby town during the last month. As you might expect, local residents responded by replacing windows with steel panels, front doors with vault entrances, floors with pressure-sensitive plates, and whatever else "security vendors" recommended. Town policymakers created new laws to mandate locking doors, enabling alarm systems, and creating scorecards for compliance. Home builders decided they needed to adopt "secure building" practices so all these retrofitted measures were "built in" future homes.
Oh wait, this is the real world! All those vulnerability-centric measures I just described are what too many "security professionals" would recommend. Instead, police identified the criminals and arrested them. From Teen burglary ring in Manassas identified:
Two suspects questioned Friday gave information about the others, police said.
Now this crew is facing prosecution. That's a good example of what we need to do in the digital world: enable and perform threat-centric security. We won't get there until we have better attribution, and interestingly enough attribution is the word I hear most often from people pondering improvements in network security.
Copyright 2003-2009 Richard Bejtlich and TaoSecurity (taosecurity.blogspot.com and www.taosecurity.com)
Celebrate FreeBSD 8.0 Release with Donation
By Richard Bejtlich
With the announcement of FreeBSD 8.0, it seems like a good time to donate to the FreeBSD Foundation, a US 501(c)3 charity. The Foundation funds and manages projects, sponsors FreeBSD events, Developer Summits and provides travel grants to FreeBSD developers. It also provides and helps maintain computers and equipment that support FreeBSD development and improvements.
I just donated $100. Will anyone match me? Thank you!
Copyright 2003-2009 Richard Bejtlich and TaoSecurity (taosecurity.blogspot.com and www.taosecurity.com)
Historical Video on AFCERT circa 2000
By Richard Bejtlich
I just uploaded a video that some readers might find entertaining. This video shows the United States Air Force Computer Emergency Response Team (AFCERT) in 2000. Kelly AFB, Security Hill, and Air Intelligence Agency appear. The colonel who leads the camera crew into room 215 is James Massaro, then commander of the Air Force Information Warfare Center. The old Web-based interface to the Automated Security Incident Measurement (ASIM) sensor is shown, along with a demo of the "TCP reset" capability to terminate TCP-based sessions.
We have a classic quote about a "digital Pearl Harbor" from Winn Schwartau, "the nation's top information security analyst." Hilarious, although Winn nails the attribution and national leadership problems; note also the references to terrorists in this pre-9/11 video. "Stop the technology madness!" Incidentally, if the programs shown were "highly classified," they wouldn't be in this video!
I was traveling for the AFCERT when this video was shot, so luckily I am not seen anywhere...
Copyright 2003-2009 Richard Bejtlich and TaoSecurity (taosecurity.blogspot.com and www.taosecurity.com)
Tort Law on Negligence
By Richard Bejtlich
If any lawyers want to contribute to this, please do. In my post Shodan: Another Step Towards Intrusion as a Service, some comments claim "negligence" as a reason why intruders aren't really to blame. I thought I would share this case from Tort Law, page 63:
In Stansbie v Troman [1948] 2 All ER 48 the claimant, a householder, employed the defendant, a painter. The claimant had to be absent from his house for a while and he left the defendant working there alone. Later, the defendant went out for two hours leaving the front door unlocked. He had been warned by the claimant to lock the door whenever he left the house.
While the house was empty someone entered it by the unlocked front door and stole some of the claimant's posessions. The defendant was held liable for the claimant's loss for, although the criminal action of a third party was involved, the possibility of theft from an unlocked house was one which should have occurred to the defendant.
So, the painter was liable. However, that doesn't let the thief off the hook. If the police find the thief, they will still arrest, prosecute, and incarcerate him. The painter won't serve part of the thief's jail time, even though the painter was held liable in this case. So, even in the best case scenario for those claiming "negligence" for vulnerable systems, it doesn't diminish the intruder's role in the crime.
Copyright 2003-2009 Richard Bejtlich and TaoSecurity (taosecurity.blogspot.com and www.taosecurity.com)
Review of Martin Libicki's Cyberdeterrence and Cyberwar
By Richard Bejtlich
Amazon.com just posted my three star review of Martin Libicki's Cyberdeterrence and Cyberwar. I've reproduced the review in its entirety here because I believe it is important to spread the word to any policy maker who might read this blog or be directed here. I've emphasized a few points for readability.
As background, I am a former Air Force captain who led the intrusion detection operation in the AFCERT before applying those same skills to private industry, the government, and other sectors. I am currently responsible for detection and response at a Fortune 5 company and I train others with hands-on labs as a Black Hat instructor. I also earned a master's degree in public policy from Harvard after graduating from the Air Force Academy.
Martin Libicki's Cyberdeterrence and Cyberwar (CAC) is a weighty discussion of the policy considerations of digital defense and attack. He is clearly conversant in non-cyber national security history and policy, and that knowledge is likely to benefit readers unfamiliar with Cold War era concepts. Unfortunately, Libicki's lack of operational security experience undermines his argument and conclusions. The danger for Air Force leaders and those interested in policy is that they will not recognize that, in many cases, Libicki does not understand what he is discussing. I will apply lessons from direct experience with digital security to argue that Libicki's framing of the "cyberdeterrence" problem is misguided at best and dangerous at worst.
Libicki's argument suffers five key flaws. First, in the Summary Libicki states "cyberattacks are possible only because systems have flaws" (p xiii). He continues with "there is, in the end, no forced entry in cyberspace... It is only a modest exaggeration to say that organizations are vulnerable to cyberattack only to the extent they want to be. In no other domain of warfare can such a statement be made" (p. xiv). I suppose, then, that there is "no forced entry" when a soldier destroys a door with a rocket, because the owners of the building are vulnerable "to the extent they want to be"? Are aircraft carriers similarly vulnerable to hypersonic cruise missiles because "they want to be"? How about the human body vs bullets?
Second, Libicki's fatal understanding of digital vulnerability is compounded by his ignorance of the role of vendors and service providers in the security equation. Asset owners can do everything in their power to defend their resources, but if an application or implementation has a flaw it's likely only the vendor or service provider who can fix it. Libicki frequently refers to sys admins as if they have mystical powers to completely understand and protect their environments. In reality, sys admins are generally concerned about availability alone, since they are often outsourced to the lowest bidder and contract-focused, or understaffed to do anything more than keep the lights on.
Third, this "blame the victim" mentality is compounded by the completely misguided notions that defense is easy and recovery from intrusion is simple. On p 144 he says "much of what militaries can do to minimize damage from a cyberattack can be done in days or weeks and with few resources." On p 134 he says that, following cyberattack, "systems can be set straight painlessly." Libicki has clearly never worked in a security or IT shop at any level. He also doesn't appreciate how much the military relies on civilian infrastructure from everything to logistics to basic needs like electricity. For example, on p 160 he says "Militaries generally do not have customers; thus, their systems have little need to be connected to the public to accomplish core functions (even if external connections are important in ways not always appreciated)." That is plainly wrong when one realizes that "the public" includes contractors who design, build, and run key military capabilities.
Fourth, he makes a false distinction between "core" and "peripheral" systems, with the former controlled by users and the later by sys admins. He says "it is hard to compromise the core in the same precise way twice, but the periphery is always at risk" (p 20). Libicki is apparently unaware that one core Internet resource, BGP, is basically at constant risk of complete disruption. Other core resources, DNS and SSL, have been incredibly abused during the last few years. All of these are known problems that are repeatedly exploited, despite knowledge of their weaknesses. Furthermore, Libicki doesn't realize that so-called critical systems are often more fragile that user systems. In the real world, critical systems often lack change management windows, or are heavily regulated, or are simply old and not well maintained. What's easier to reconfigure, patch, or replace, a "core" system that absolutely cannot be disrupted "for business needs," or a "peripheral" system that belongs to a desk worker?
Fifth, in addition to not understanding defense, Libicki doesn't understand offense. He has no idea how intruders think or the skills they bring to the arena. On pp 35-6 he says "If sufficient expenditures are made and pains are taken to secure critical networks (e.g., making it impossible to alter operating parameters of electric distribution networks from the outside), not even the most clever hacker could break into such a system. Such a development is not impossible." Yes, it is impossible. Thirty years of computer security history have shown it to be impossible. One reason why he doesn't understand intruders appears on p 47 where he says "private hackers are more likely to use techniques that have been circulating throughout the hacker community. While it is not impossible that they have managed to generate a novel exploit to take advantage of a hitherto unknown vulnerability, they are unlikely to have more than one." This baffling statement shows Libicki doesn't appreciate the skill set of the underground.
Libicki concludes on pp xiv and xix-xx "Operational cyberwar has an important niche role, but only that... The United States and, by extension, the U.S. Air Force, should not make strategic cyberwar a priority investment area... cyberdefense remains the Air Force's most important activity within cyberspace." He also claims it is not possible to "disarm" cyberwarriors, e.g., on p 119 "one objective that cyberwar cannot have is to disarm, much less destroy, the enemy. In the absence of physical combat, cyberwar cannot lead to the occupation of territory." This focus on defense and avoiding offense is dangerous. It may not be possible to disable a country's potential for cyberwar, but an adversary can certainly target, disrupt, and even destroy cyberwarriors. Elite cyberwarriors could be likened to nuclear scientists in this respect; take out the scientists and the whole program suffers.
Furthermore, by avoiding offense, Libicki makes a critical mistake: if cyberwar has only a "niche role," how is a state supposed to protect itself from cyberwar? In Libicki's world, defense is cheap and easy. In the real world, the best defense is 1) informed by offense, and 2) coordinated with offensive actions to target and disrupt adversary offensive activity. Libicki also focuses far too much on cyberwar in isolation, while real-world cyberwar has historically accompanied kinetic actions.
Of course, like any good consultant, Libicki leaves himself an out on p 177 by stating "cyberweapons come relatively cheap. Because a devastating cyberattack may facilitate or amplify physical operations and because an operational cyberwar capability is relatively inexpensive (especially if the Air Force can leverage investments in CNE), an offensive cyberwar capability is worth developing." The danger of this misguided tract is that policy makers will be swayed by Libicki's misinformed assumptions, arguments, and conclusions, and believe that defense alone is a sufficient focus for 21st century digital security. In reality, a kinetically weaker opponent can leverage a cyber attack to weaken a kinetically superior yet net-centric adversary. History shows, in all theatres, that defense does not win wars, and that the best defense is a good offense.
Copyright 2003-2009 Richard Bejtlich and TaoSecurity (taosecurity.blogspot.com and www.taosecurity.com)
Shodan: Another Step Towards Intrusion as a Service
By Richard Bejtlich
If you haven't seen Shodan yet, you're probably not using Twitter as a means to stay current on security issues. Shoot, I don't even follow anyone and I heard about it.
Basically a programmer named John Matherly scanned a huge swath of the Internet for certain TCP ports (80, 21, 23 at least) and published the results in a database with a nice Web front-end. This means you can put your mind in Google hacking mode, find vulnerable platforms, maybe add in some default passwords (or not), and take over someone's system. We're several steps along the Intrusion as a Service (IaaS) path already!
Incidentally, this idea is not new. I know at least one company that sold a service like this in 2004. The difference is that Shodan is free and open to the public.
Shodan is a dream for those wanting to spend Thanksgiving looking for vulnerable boxes, and a nightmare for their owners. I would not be surprised if shodan.surtri.com disappears in the next few days after receiving a call or two from TLAs or LEAs or .mil's. I predict a mad scramble by intruders during the next 24-48 hours as they use Shodan to locate, own, and secure boxes before others do.
Matt Franz asked good questions about this site in his post Where's the Controversy about Shodan? Personally I think Shodan will disappear. Many will argue that publishing information about systems is not a problem. We hear similar arguments from people defending sites that publish torrents. Personally I don't have a problem with Shodan or torrent sites. From a personal responsibility issue it would have been nice to delay notification of Shodan until after Thanksgiving.
Copyright 2003-2009 Richard Bejtlich and TaoSecurity (taosecurity.blogspot.com and www.taosecurity.com)
I'm Surprised That Your Kung Fu Is So Expert
By Richard Bejtlich
This story is so awesome.
Hacks of Chinese Temple Were Online Kung Fu, Abbot Says
A hacker who posted a fake message on the Web site of China's famous Shaolin Temple repenting for its commercial activities was just making a mean joke, the temple's abbot was cited as saying by Chinese state media Monday.
That and previous attacks on the Web site were spoofs making fun of the temple, Buddhism and the abbot himself, Shi Yongxin was cited as telling the People's Daily.
"We all know Shaolin Temple has kung fu," Shi was quoted as saying. "Now there is kung fu on the Internet too, we were hacked three times in a row."
Why am I not surprised that a Shaolin monk has a better grasp of the fundamentals of computer security than some people in IT?
Bonus: Props to anyone who recognizes the title of this post.
Copyright 2003-2009 Richard Bejtlich and TaoSecurity (taosecurity.blogspot.com and www.taosecurity.com)
SecurityFocus News
SecurityFocus is the most comprehensive and trusted source of security information on the Internet. We are a vendor-neutral site that provides objective, timely and comprehensive security information to all members of the security community, from end users, security hobbyists and network administrators to security consultants, IT Managers, CIOs and CSOs.
Brief: Google pushes security with Public DNS
Google pushes security with Public DNS
News: Sequoia to show off e-voting code
Sequoia to show off e-voting code
>> Advertisement <<
Can you answer the ERP quiz?
These 10 questions determine if your Enterprise RP rollout gets an A+.
http://www.findtechinfo.com/as/acs?pl=781&ca=909
Brief: Northrop, colleges form cybersecurity group
Northrop, colleges form cybersecurity group
>> Advertisement <<
Can you answer the ERP quiz?
These 10 questions determine if your Enterprise RP rollout gets an A+.
http://www.findtechinfo.com/as/acs?pl=781&ca=909
Brief: More attacks but fewer losses, survey finds
More attacks but fewer losses, survey finds
>> Advertisement <<
Can you answer the ERP quiz?
These 10 questions determine if your Enterprise RP rollout gets an A+.
http://www.findtechinfo.com/as/acs?pl=781&ca=909
Brief: Anti-spam test finds more is better
Anti-spam test finds more is better
Brief: Microsoft releases password attack data
Microsoft releases password attack data
Security Fix
Brian Krebs on computer and Internet security
Phishers angling for Web site administrators
In Latest Warnings
Scam e-mail artists have launched a massive campaign to trick webmasters into giving up the credentials needed to administer their Web sites, targeting site owners at more than 90 online hosting providers. Experts say the attackers are attempting to build a distributed network of hacked sites through which to distribute their malicious software. The spam e-mails arrive addressed to users of some of the top Web hosting firms, from hostgator.com to yahoo.com and 50webs.com, and bear the same basic message: "Due to the system maintenance, we kindly ask you to take a few minutes to confirm your FTP details." Recipients who click the included link are brought to a Web site made to look like a cPanel page (cPanel is a widely used Web site administration software package). People who fall for the scam and provide their credentials are then forwarded on to the actual site of the Web hosting
Apple issues security updates for Mac OS X
In New Patches
Apple this week pushed an update for Leopard and Snow Leopard systems that plugs a large number of security holes in Apple's version of Java, a package installed by default on those Mac OS X systems that enables a number of multimedia Web applications. The new Java version fixes at least 14 vulnerabilities in the version designed for OS X 10.6 systems; the package put together for 10.5 Macs corrects more than two dozen security flaws. Mac users can grab the patches via Software Update or from Apple Downloads. The patch fun continues into Tuesday of next week, when both Microsoft and Adobe are scheduled to issue updates to plug security vulnerabilities of their own. Microsoft said Thursday that it plans to issue at least six security patches (each patch fixes at least one -- but often multiple -- security flaws). Half of those updates will carry a "critical" rating,
Bit.ly to scour shortened links for badness
In Safety Tips
Scammers and spammers soon will have a tougher time masking links to their malicious Web sites using bit.ly, one of the more popular link-shortening services out there: The company said this week it is teaming with three security firms to warn users when a shortened link looks like it leads to badness. Criminals increasingly are abusing URL-shortening services to disguise the true destination of both phishing Web sites and those that host malicious software. Some of the most prolific and automated of these attacks take place on social media sites like Facebook and Twitter, networks that are far less useful and fun if users can't feel relatively comfortable clicking links. In response, bit.ly will by the end of the year be working with Sophos, Verisign and Websense to scrub some 40 million shortened links each day for those linking to malware, spam and phishing Web sites, the company said this
DC businessman loses thousands after clicking on wrong e-mail
In Safety Tips
Pay-per-click revenue in the online advertising business may be diminishing for traditional media publishers, but thieves increasingly are earning five- to seven-digit returns when victims click on a booby-trapped link or attachment sent via e-mail. The latest victim to learn this was Nigel Parkinson, president of D.C.-based Parkinson Construction, a firm with an estimated $20 million in annual revenue that has worked on some of Washington's top gathering places, including the new D.C. Convention Center and the Nationals baseball stadium. Parkinson said he had an expensive crash course in computer security, when on Nov. 24, he clicked a link in an e-mail purporting to be from the Social Security Administration warning him about potential errors on his Social Security statement. Parkinson fell for the ruse and ended up downloading a copy of the Zeus Trojan, a prolific family of malicious software that criminal gangs have used to great effect to
Nastygram: CDC 'swine flu' vaccine scam
In Nastygram
E-mail scam artists are impersonating the Centers for Disease Control with a bogus e-mail that claims to offer information about a state-run vaccination program for the H1N1 "Swine Flu" contagion. This highly topical and plausible e-mail message directs recipients to a fake CDC Web site that tries to foist malicious software. Recipients who fall for the ruse and click the link are brought to a counterfeit CDC site that showcases a "Personal H1N1 Vaccination Profile" as an electronic document that supposedly contains the reader's name, contact details and medical data. Visitors are instructed to download their profile, which according to multiple sources is a malicious program (almost certainly a password stealer) that is hard to detect by the vast majority of anti-virus products on the market today.
Nastygram: Bogus DHL e-mails harbor secret message
In From the Bunker
A recent spam run that tries to distribute malicious software disguised as a DHL package tracking number contains a poorly hidden message that insults the Security Fix author by name. According to an analysis by security firm Sophos, the messages arrive as a "Dear Customer" notification stating that the courier company was unable to deliver a parcel to the recipient's address. The message urges recipients to click the attached "shipping label" for more information, and of course the attachment is a malicious program designed to steal the curious victim's passwords. Sophos said the tracking number cited in the messages appears to be a jumbled mush of letters, but closer inspection reveals an insult aimed at this author. (Suffice it to say, it is off-color enough that it cannot be repeated here.) Sophos's Graham Cluely writes: "I find it hard to believe that the hackers' choice of tracking reference number
Hackers attempt to take $1.3 million from D.C. firm
In Web Fraud 2.0
It has been a while since I've written about online banking fraud against small to mid-sized businesses, but I assure you the criminals perpetrating these attacks have been busier than ever. In fact, from more than a dozen incidents I've been investigating lately, the attackers for whatever reason now appear to be focusing heavily on property management and real estate firms, and title companies. On Nov. 12, I was contacted by a woman in Washington, D.C. who runs a large property management firm. The woman said her company had just been the victim of online banking fraud, but that her board of directors would not let her discuss the incident on the record. Per her request, I am omitting her name and the name of her firm. The woman said hackers had tried to transfer more than $1.3 million out of her firm's account, but that all three transactions had
Eight tips for safe online shopping
In Safety Tips
Shopping online is a great way to save time and money, but those efficiencies quickly vanish for people who lack basic online shopping smarts. Take a few minutes to review these safe shopping tips: They may just save you a world of headache and financial pain. 1. Shop with a credit card, not a debit card. The banks are pushing more consumers toward debit cards with a bevy of awards programs because they can charge merchants higher fees than on credit card-based transactions, said Avivah Litan, a fraud analyst with Gartner Inc. But if your debit card number gets stolen, it might be somewhat more complicated to sort things out, especially if fraud causes overdrafts and bounced checks. 2. Keep track of your receipts. Some experts advise online shoppers to print out all receipts. That's fine, but a simpler and more "green" alternative to this important tip is to simply
Google Public DNS Security Not Breaking New Ground, Some Say
Google has implemented security features in Google Public DNS to help prevent DNS cache poisoning and denial of service attacks. But while some applaud Google's approach, others - including OpenDNS - say Google is not breaking new ground.
- Much has been made about how Google Public DNS will improve the speed of the Web. But what about security? According to some, Google is on the right track - though others say the company is not exactly breaking new ground. "DNS as a protocol is pretty terrible in terms of security, but ...
Managing the Threat to Customer Data
High profile data breaches seem to occur with alarming regularity these days. Consumers are reeling from the realization that they can no longer trust institutions to safeguard their personal and financial data, and they are striking back by taking their business elsewhere. According to the 2008 Ponemon Cost of a Data Breach Report, lost business now accounts for 69 percent of the total cost of a data breach, showing that customers are increasingly prone to terminate their business relationships due to lost data. Particularly in these trying economic times, companies simply cannot afford to lose customers as a result of breach. Phil Dunkelberger, CEO of data protection stalwart PGP Corp., says that corporations need to do more to protect customer data, but the fault also lies with lawmakers, and even consumers themselves.
Adobe Investigates Security Vulnerability as Attack Code Surfaces
Adobe Systems is investigating reports of a new vulnerability affecting its Illustrator software. News of the zero-day came as Adobe prepared to release updates for Adobe Flash Player and Adobe AIR to address a critical security issue.
- Adobe Systems is investigating reports of a new security vulnerability affecting its Illustrator software. Proof-of-concept code for an attack was publicized this week and is circulating the Web. According to Adobe, the vulnerability can be exploited via a malicious Encapsulated PostScript (.eps)...
Microsoft to Fix Internet Explorer Security Hole on Patch Tuesday
Microsoft is preparing to address 12 security vulnerabilities with December's Patch Tuesday update. Among the critical fixes is a security patch for a zero-day vulnerability affecting Internet Explorer 6 and 7.
- Microsoft is planning to release six security bulletins for December's Patch Tuesday, including one to cover the recently disclosed zero-day vulnerability affecting Internet Explorer. According to the prerelease advisory, three of the bulletins are rated critical. The remaining bulletins are ra...
Microsoft Leaves Users Waiting for Fixes for Windows Black Screen of Death
News Analysis: Users who want the best Windows experience will need some help from Microsoft. But if the Black Screen of Death case is any indication, Microsoft isn't so quick to take responsibility. As usual, users find they are left to their own devices to solve problems with software and hardware they paid good money for.
- For too long, users have been forced by default to deal with the many security problems that plague the Windows ecosystem. Whether because of malware, flaws in how Microsoft built Windows or any other number of things that can occur in the course of using a Windows PC, it seems that users have to...
Telling Friends from Dangerous Foes in Social Network Security Maze
Social networking sites have become fertile ground for attackers, both by attracting victims with malware such as Koobface and by relaying commands to compromised computers. As it turns out, our friends are not always our friends a fact underscored earlier this year when Kaspersky Lab published findings that in terms of infections, social networks were 10 times more effective as attack vectors than e-mail. Staying safe means being wary, but it also means sites like Facebook, MySpace and LinkedIn have work to do as well. Here, eWEEK looks at the most dangerous social networking risks, and what both users and the sites themselves can do about them.
- ...
McAfee Most Dangerous Web Domain List Topped by Cameroon
In its third annual report on the riskiest Web domains, McAfee says attackers are using Cameroon's domain name as part of typo-squatting schemes to infect users with malware.
- McAfees list of the most dangerous Web domains has a new leader. Africas Cameroon(.cm) domain has taken the top spot from Hong Kong(.hk) as the riskiest domain on the Web, according to McAfees third annual Mapping the Mal Web report (PDF). Japan(.jp) was found to be the safest country...
Prevx Confirms Microsoft Patches Not Connected to Black Screen of Death
Prevx backs off claims that Microsoft patches are contributing to a Black Screen of Death condition being experienced by some Windows users.
- Security vendor Prevx has narrowed down the cause of a quot;Black Screen of Death quot; condition affecting Microsoft Windows. According to Prevx, the issue does not appear to be connected to patches issued by Microsoft. In an update this evening to a company blog, the company said the issue ...
Microsoft Says Black Screen of Death Unrelated to Patch Tuesday Updates
Microsoft is contending that the reports circulating of a Black Screen of Death are not due to the security updates the company issued in November. Meanwhile, security vendor Prevx is offering users a solution to fix the problem.
- The so-called Black Screen of Death condition striking some Windows users is not caused by bugs in November's Patch Tuesday updates, Microsoft stated Dec. 1. Security vendor Prevx reported on its blog Nov. 27 that Windows users were experiencing a black screen quot;due to a change in the Windo...
10 Reasons Why the New Windows Black Screen of Death Is Alarming
News Analysis: The Black Screen of Death might not cause as much damage as the Blue Screen of Death, but it's still causing major headaches for users. Worse, there is no sign that there will be a quick and permanent fix for all occurrences of this glitch. So users will just have to assume that the Black Screen of Death will likely continue to plague their computers indefinitely.
- When critics spend time explaining why Windows isn't as great a platform as Microsoft claims, they usually point to the Blue Screen of Death. When that hits, something serious has occurred, leading to major problems for the user. It has plagued Microsoft in the past and it continues to haunt the ...
Bit.ly Partnerships to Help Address Twitter Security Threats
Bit.ly, a URL shortening service popular among Twitter users, is partnering with VeriSign, Websense and Sophos to add a new level of security. The move addresses the growing abuse of shortened URLs, which conceal the full addresses of Websites, by attackers and spammers.
- Bit.ly, a URL shortening service popular among Twitter users, announced partnerships Nov. 30 with security companies VeriSign, Websense and Sophos. The alliance is designed to bring a new level of security to URL shortening, which has increasingly been abused by spammers and attackers. Services ...
IBM Confirms Acquisition of Database Security Vendor Guardium
After initially refusing to comment, IBM gives in and confirms reports that it is acquiring Guardium. The acquisition brings Guardium's database activity monitoring and data security capabilities into IBM's software portfolio.
- IBM officials confirmed Nov. 30 that the company has acquired Guardium for its database security and activity monitoring technology. IBM did not disclose the financial terms of the deal, but there are reports that the acquisition cost the company $225 million. The acquisition is the 28th purch...
IBM Reportedly to Buy Guardium for Database Security
IBM is reportedly acquiring database security vendor Guardium for $225 million. The acquisition announcement is expected to be made this week.
- Rumors are circulating that IBMis acquiring database security vendor Guardium for $225 million. Reports of the deal first surfaced late last week in Israeli newspaper TheMarker. Officials at IBMdeclined to comment on the rumors. If it goes forward, the deal would be a significant acquisition i...
British Hacker McKinnon Could Face Extradition Within Weeks
Gary McKinnon, who is accused of hacking U.S. military and NASA computers, experienced another setback in his bid to block extradition to the United States. The British Home Secretary has decided not to get involved in McKinnon's case, meaning the hacker could be extradited in the coming weeks.
- The British home secretary has refused to block Gary McKinnons extradition to the United States to face charges of hacking into U.S. military computers. According to reports, Home Secretary Alan Johnson decided new medical evidence was not sufficient cause for him to block McKinnons extradition....
Online Security Tips for Black Friday, Cyber Monday
Consumers and retailers are entering one of the busiest shopping periods of the year. The holidays bring more than shoppers, however they also bring cyber-criminals. Here are some tips to think about when it comes to your business, or your approach to online shopping, for the season.
- Consumers may have concerns about shopping online during the holidays, but that is not going to keep many of them away from their computers. In a survey by Sunbelt Software, 90 percent of the more than 650 respondents said they plan to shop online, despite the fact that many (56 percent) were c...
IT Security Predictions for 2010
Researchers from IBM and Sophos shared their thoughts on what the security threat landscape will look like for enterprises and consumers alike in 2010. Their predictions run the gamut from threats to social networking sites to an increase in attackers targeting hosted services.
- In the past 12 months, the security industry saw a resurgence of worms, an increase in rogue antivirus software scams and much, much more. But with the sun setting on 2009, security pros are turning their eyes toward the coming year. In it, they see a future with a threat landscape not ...
Symantec Website Hack Exposes User Data
A hacker recently demonstrated how a SQL injection vulnerability in a Symantec Website could be exploited to reveal user data. Symantec says the vulnerability ony impacts customers in Japan and South Korea.
- A Website operated by security firm Symantec was hacked - giving an attacker a sneak peak at sensitive customer data. The Romanian hacker known as Unu, who earlier this year uncovered a hole in a Website run by Kaspersky Lab, exploited a blind SQL injection problem to get his hands on clear-text pa...
eWeek Newsbreak Nov 23 2009
A malicious worm is attacking iPhone users. And its pretty serious, as the worm can act like a botnet. The iPhone is also making news in South Korea this month, as regulators recently granted Apple a license to operate location-based services in the country. Data security and management solutions company Paragon Software Group recently announced the release of their latest disaster recovery, system migration and virtualization software program. The company also announced the release of System Upgrade Utilities 2010, designed for streamlined migration from Windows XP or Vista to the new Windows 7 while still allowing the user to keep their old system. Storage specialist Cloud Engines is releasing the latest version of Pogoplug. Oracle and SpringSource have teamed up to propose a new Eclipse project called Enterprise Modules.
- Video Content....
'Godfather of Spam' Sentenced to 4 Years
Alan Ralsky, the man the feds nicknamed the Godfather of Spam, was sentenced to 51 months in prison for his part in a stock fraud and spamming scheme. Three other people were sentenced as well.
- The so-called "Godfather of Spam" was among four people sentenced today in federal court in Detroit for involvement in a stock fraud scheme that leveraged on a virulent spam campaign. Alan M. Ralsky, 64, of West Bloomfield, Mich., was sentenced to 51 months in prison for conspiring to comm...
Security
Microsoft Patch Tuesday for December 2009: six bulletins
By emil.protalinski@arstechnica.com (Emil Protalinski) on patchtuesday
According to the Microsoft Security Response Center, Microsoft will issue six Security Bulletins on Tuesday, and it will host a webcast to address customer questions about the bulletins the following day (December 9 at 11:00am PST, if you're interested). Three of the vulnerabilities are rated "Critical," and the other three are marked as "Important." All of the Critical vulnerabilities earned their rating through a remote code execution impact, meaning a hacker could potentially gain control of an infected machine. At least five of the six patches will require a restart.
Google Public DNS service not ideal for everyone
By iljitsch.vanbeijnum@arstechnica.com (Iljitsch van Beijnum) on networking
Apparently on a quest to to provide every Internet-related service itself, Google has now added the Google Public DNS service. The search giant claims performance benefits for many users (depending on their geographic/network location) and security benefits for everyone who adopts the new service. So should we all dive into our network settings and point our computers away from our ISP's DNS servers and towards Google's? Not necessarily.
For almost two decades, the Internet didn't have a Domain Name System, and the translation from human-friendly names into the IP addresses that computers and routers use to make packets flow to the right destination happened through a local file on each computer. In the late 1980s, a distributed system was created for this purpose: the DNS.
H1N1 malware epidemic is more contagious than real deal
By segphault@arstechnica.com (Ryan Paul) on spam
The Center for Disease Control (CDC) issued a statement this week to warn citizens about a recent wave of phishing e-mails that deceptively claim to be from the government organization. The e-mails refer to a state vaccination program and tell recipients that they have to create a personal H1N1 vaccination profile.
No such vaccination program exists. A link in the e-mail directs users to a fraudulent website that attempts to infect their computer with malware. Specifically, the fake H1N1 messages are being used to propagate ZBot (also known as Zeus), a trojan horse that powers one of the most active botnets. The program serves as a spam relay and also surreptitiously collects private data about the user to funnel back to the botnet operator.
Microsoft says B(lack)SODs not linked to latest patches
By emil.protalinski@arstechnica.com (Emil Protalinski) on windows
Microsoft is denying reports of the Black Screen of Death on a number of PCs. A fraction of Windows users have been complaining their computers were locking up and displaying a Black Screen of Death (BSOD, not to be confused with Blue Screen of Death, which is usually due to hardware or driver failure) after the last Microsoft Patch Tuesday on November 10, 2009.
Microsoft aims at IE6 holdouts, highlights security
By emil.protalinski@arstechnica.com (Emil Protalinski) on internetexplorer
One of the ways Microsoft plans to push Internet Explorer 6 and Internet Explorer 7 users to upgrade to Internet Explorer 8 is convincing them the latest version is much more secure, which it is. Dean Hachamovitch, general manager of Internet Explorer, last week posted a story on the IEBlog about how IE8 managed to block a malicious webpage he was linked to by one of his close friends on Facebook. What we found more interesting though, was when Hachamovitch put this feature a bit more into perspective: "IE8's SmartScreen now blocks malware sites over two million times a day." So far, the browser has blocked 275 million pieces of malware since it launched.
Microsoft investigating B(lack)SODs after Windows patches
By emil.protalinski@arstechnica.com (Emil Protalinski) on windows
Last week, a number of Windows users started complaining their computers were locking up and displaying a Black Screen of Death (BSOD, not to be confused with Blue Screen of Death, which is usually due to hardware or driver failure) after the last Microsoft Patch Tuesday on November 10, 2009. We contacted Microsoft but the software giant isn't yet ready to confirm (or deny) the reported issue. "Microsoft is investigating reports that its latest release of security updates is resulting in system issues for some customers," a Microsoft spokesperson told Ars. "Once we complete our investigation, we will provide detailed guidance on how to prevent or address these issues. The successful deployment of security updates is the ultimate goal of the Microsoft Security Response Center. Because of this, we continually work with our Customer Service and Support teams to keep a close eye for issues that may impact customers' deployment of security updates."
AV-Comparatives picks eight proactive antimalware winners
By emil.protalinski@arstechnica.com (Emil Protalinski) on malware
Following its October 2009 removal report, AV-Comparatives has released its November 2009 retrospective/proactive comparative. This is actually the second part of the August 2009 comparative, where 16 products, last updated on August 10 (new samples were taken between August 11, 2009 and August 17, 2009), were set on the same highest detection settings (except for Sophos and F-Secure) and put to the test. The results of the second part are only available now as they required a bit more work and analysis.
Military wins small battle in war against counterfeit chips
By hannibal@arstechnica.com (Jon Stokes) on doj
The US Department of Justice announced [PDF] today that a California man has pled guilty to trafficking counterfeit computer chips to the US military. Neil Fehaly agreed to cooperate with the government as part of his plea deal, and he faces up to five years in prison for passing off bogus versions of chips from Intel, VIA, STMicro, Analog Devices, and other chipmakers to the Navy. These counterfeits, some of which were outright fakes from China, and others of which were "remarked" versions of cheap chips that had been made to look like more expensive parts, have gone into countless critical military systems since the scam started, possibly endangering the lives of military personnel and civilians.
Sony still subsidizing US military supercomputer efforts
By hannibal@arstechnica.com (Jon Stokes) on Tech Policy
Consumers aren't the only ones enjoying the PlayStation 3's recent price drop. The US military has announced plans to buy 2,200 more of the game consoles, so that they can massively beef up the processing power of an existing, PS3-based supercomputer. A "Justification Review Document," which has oddly been deleted from Google since I found it but is still available at this cache link, explains that, "the new PS3s will be placed in a cluster environment with an existing cluster of 336 PS3s by connecting each of the units' one gigabit Ethernet port to a common 24 port gigabit hub."
Microsoft issues takedown notices over spilled COFEE
By emil.protalinski@arstechnica.com (Emil Protalinski) on digitalforensics
Microsoft has been issuing takedown notices for publicly hosting its leaked Computer Online Forensic Evidence Extractor (COFEE) tool. The company sent off "Demand for Immediate Take-Down: Notice of Infringing Activity" to companies hosting websites that offered the tool. The e-mails all start with the following standard statement: "Microsoft has received information that the domain listed above, which appears to be on servers under your control, is offering unlicensed copies of, or is engaged in other unauthorized activities relating to copyrighted works published by Microsoft."
IE6 and IE7 vulnerable to latest flaw; IE8 immune
By emil.protalinski@arstechnica.com (Emil Protalinski) on internetexplorer
Microsoft has issued Security Advisory 977981 in regard to public reports of a vulnerability that exists as an invalid pointer reference of Internet Explorer. Under certain conditions, it is possible for a CSS/Style object to be accessed after the object is deleted, and thus, if Internet Explorer attempts to access the supposedly freed object, it can end up running attacker-supplied code. IE6 SP1 on Windows 2000 SP4, as well as IE6 and IE7 on supported editions of Windows XP, Windows Server 2003, Windows Vista, and Windows Server 2008 are affected. Microsoft notes that IE 5.01 SP4 and IE8 on all supported versions of Windows are not affected, but of course IE6 and IE7 still account for over 40 percent of the browser market.
UK hack reveals climate science's ugly side, little more
By jtimmer@arstechnica.com (John Timmer) on Tech Policy
Late last week, a collection of e-mails and documents began appearing on a variety of websites, purportedly a selection of a much larger cache of material obtained when hackers gained entry to the UK's Climatic Research Unit. All indications are that the documents are legitimate, and they reveal the scientists behind them as fully human: snarky, dismissive, prone to using colloquialisms instead of technical terms, and protective of their data—perhaps unethically protective. A lot of the material sounds very familiar to people working in scientific fields, but the response suggests that the e-mails may expand the gap between scientists and the public in this contentious field.
The scientific community became aware of the hacking when the perpetrators, fresh from their success, attempted to deface the popular Real Climate blog, turning it into a host for the archive. Shortly afterwards, the documents appeared at a site frequented by climate skeptics, and have since been mirrored elsewhere. This isn't the full trove of stolen files, as the hackers have only uploaded a selected portion of the material (presumably, items they felt made the scientists look especially bad), and it's possible that there was some manipulation of the contents. But the majority of the material appears to be legitimate; a New York Times reporter has tracked down some of the people who wrote the e-mails and confirmed their accuracy (the reporter's own correspondence with a number of the scientists made an appearance).
SecuriTeam
Welcome to the SecuriTeam RSS Feed - sponsored by Beyond Security. Know Your Vulnerabilities! Visit BeyondSecurity.com for your web site, network and code security audit and scanning needs.
ToutVirtual VirtualIQ Multiple Vulnerabilities
ToutVirtual's VirtualIQ Pro is specifically designed for IT administrators responsible for managing virtual platforms. Multiple vulnerabilities has been found which a allow an attacker to conduct various XSS and CSRF attack, and other attacks due to the use of an old an not hardened version of the web server.
Transport Layer Security Renegotiation Vulnerability
Cisco has reported an industry-wide vulnerability that exists in the Transport Layer Security (TLS) protocol that could impact any product that uses any version of TLS and SSL. The vulnerability exists in how the protocol handles session renegotiation and exposes users to a potential man-in-the-middle attack.
Marvell Driver Multiple Information Element Overflows
The wireless drivers in some Wi-Fi access points (such as the MARVELL-based Linksys WAP4400N) do not correctly parse information elements included in association requests. Most information elements are used by the wireless access point and clients to advertise their capabilities (regarding rates, network name, cryptographic capabilities...).
HP Data Protector Express and Single Server Edition (SSE) DoS and Code Execution
A potential security vulnerability has been identified with HP Data Protector Express 3.x and 4.x and HP Data Protector Express Single Server Edition (SSE) 3.x and 4.x running on supported Microsoft Windows, Linux, and NetWare versions. The vulnerability could be exploited locally to create a Denial of Service (DoS) or to execute arbitrary code.
Cute News and UTF-8 Cute News Multiple Vulnerabilities
Multiple vulnerabilities exist in Cute News and UTF-8 CuteNews. These vulnerabilities can be exploited to steal user credentials, disclose file contents, disclose the file path of the application and execute arbitrary commands.
HP Color LaserJet Printers Unauthorized Access to Data and DoS
A potential security vulnerability has been identified with certain HP Color LaserJet printers. The vulnerability could be exploited remotely to gain unauthorized access to data or to create a Denial of Service (DoS).
KDE KDELibs Remote Array Overrun with Arbitrary Code Execution
KDELibs is a collection of libraries built on top of Qt that provides the framework and functionality for developers of KDE-compatible software. The main problem exists in dtoa implementation. KDE has a very similar dtoa algorithm to BSD, Chrome and Mozilla.
PHP Multipart/Form-data Denial of Service Attack
PHP version 5.3.1 was just released. This release contains a patch for a denial of service condition we've reported on 27 October 2009. The problem is that you can include a very large number of files in the request. PHP will need to create those files before the script is executed and delete them afterwards.
HP Operations Manager for Windows Unauthorized Access
A potential security vulnerability has been identified with HP Operations Manager for Windows. The vulnerability could be exploited remotely to gain unauthorized access.
SearchSecurity: Security Wire Daily News
The latest information security news on IT threats, vulnerabilities and market trends from the award-winning SearchSecurity.com.
The world's top 5 riskiest domains
By Robert Westervelt
McAfee's 3rd Annual "Mapping the Mal Web" report highlights the domains with the most road hazards.
Microsoft to address 12 vulnerabilities, IE display zero-day
By Robert Westervelt
A Patch Tuesday bulletin is expected to address an Internet Explorer display error that could be targeted by attackers using a publicly available proof-of-concept exploit.
Software piracy group offers cash to whistleblowers
By Robert Westervelt
An industry group made up of software companies is offering workers in the U.K. more than $30,000 to blow the whistle on pirated software in their workplace.
Cybersecurity grant to fund research into critical infrastructure threats
By Michael S. Mimoso
University consortium will research threats to software and data storage systems and better understand cloud-based attacks with funding from defense contractor Northrop Grumman.
Microsoft, security firms warn of password meltdown
By Robert Westervelt
An increase in online shopping this season would be a boon to cybercriminals, who are conducting phishing and drive-by attacks in an attempt to profit from the holiday spirit.
US CERT warns of clientless SSL VPN vulnerability
By Robert Westervelt
VPN software from Cisco Systems, Juniper and others make users susceptible to Web-based attacks, according to an advisory from the U.S. Computer Emergency Readiness Team.
Should cities demand data breach penalties?
By Robert Westervelt
SearchSecurity.com editors discuss a city's cloud contract data breach clause. Also, the value of vendor security threat reports and the Web security gateway market.
IBM to acquire database security firm Guardium
By Robert Westervelt
Deal reportedly worth $225 million.
Top spammer gets four years in jail for stock fraud scheme
By Robert Westervelt
Alan Ralsky, the self-proclaimed "Godfather of Spam," was jailed for his role in a stock fraud spam scheme.
Health Net breach failure of security policy, technology
By Eric Ogren
Investigators should question why an external hard drive contained seven years of data, but IT security should have had the appropriate security policies and technologies in place to enforce them.
Cost of security, IT management add up at healthcare facilities, study finds
By Robert Westervelt, News Editor
Digitalizing healthcare records and new health systems fail to cut costs, according to new research from Harvard University. Security and other management costs add up.
SANS NewsBites
All Stories From Vol: 11 - Issue: 95
Sequoia Releases eVoting System Source Code (December 2, 2009)
Sequoia Voting Systems has published the source code for its Frontier end-to-end electronic voting system, making it the first electronic voting machine maker to do so.......
Number of Records Compromised in Breaches of Government and Military Systems Soars (December 2, 2009)
Although the number of reported data security breaches of US military and government systems has dropped over the last year, the number of records compromised by those breaches has climbed, according to statistics from the Identity Theft Resource Center.......
EFF Suing Gov. Agencies for Information on Social Networking Site Surveillance (December 1, 2 & 3, 2009)
The Electronic Frontier Foundation (EFF) and the University of California, Berkeley's Samuelson Law, Technology, and Public Policy Clinic are suing six US government agencies that failed to respond to Freedom of Information Act (FOIA) requests regarding their use of social networking sites in their investigations and surveillance.......
Microsoft December Security Update Will Address Zero-Day IE Flaw (December 3 & 4, 2009)
Microsoft plans to issue six security bulletins to address a dozen security flaws on Tuesday, December 8.......
DHS Finishes Draft of National Cyber Attack Response Plan (December 3, 2009)
The US Department of Homeland Security (DHS) has completed, in cooperation with other government agencies, a draft national cyber attack response plan.......
UK Police Take Down 1,200 Shady Websites (December 3, 2009)
UK police have taken down more than 1,200 websites that had been selling counterfeit designer items and deep discounts.......
Judge Throws Out Class Action Lawsuit (December 3, 2009)
A US federal court judge has thrown out a class-action lawsuit against pharmacy benefits company Express Scripts regarding a 2008 data security breach.......
Research in Motion Patches Flaws in BlackBerry PDF Distiller (December 2, 2009)
Research in Motion has issued security updates to address critical security flaws its BlackBerry Enterprise server.......
Microsoft Patches Not Responsible for Black Screen; Security Firm Apologizes (December 2, 2009)
Microsoft says it has found no evidence that patches announced in its November security bulletins are causing some users' computers to display what has been dubbed the "black screen of death.......
Northrup Grumman to Fund Cyber Security Solutions Research (December 1 & 2, 2009)
Northrop Grumman and three universities plan to form a cyber security research consortium to address emergent cyber security issues.......
US-CERT Warns of Vulnerability in Clientless SSL VPN Products (November 30, December 1 & 3, 2009)
The US Computer Emergency Readiness Team (US-CERT) has issued an advisory warning of a vulnerability that affects a number of clientless SSL virtual private network (VPN) products.......
Virgin to Pilot Deep Packet Inspection Anti-Piracy Effort (November 26, 2009)
Virgin Media says it will start monitoring customers' data packets without their consent in an effort to determine how much illegal filesharing traffic is traveling over its network.......
Pub Sued for Patron's Illegal Downloading on Wi-Fi Hotspot (November 27, 2009)
In a case believed to be the first of its kind, a UK pub has been fined GBP 8,000 (US $13,000) because someone used its Wi-Fi hotspot to download copyrighted content.......
Administration Seeks Reversal of Cyber Evidence Gathering Decision (November 25, 2009)
US Solicitor General Elena Kagan and officials at the Justice Department are seeking the reversal of a federal appeals court decision that limits the governments' cyber search-and-seizure power.......
Online Banking Thieves Find a New Way to Manipulate ACH Transactions (November 30, 2009)
In a new spin on the growing problem of thieves abusing the automated clearing house (ACH) system to steal funds from small- to-mid-sized businesses, thieves who are unable to obtain all the necessary login information of their targets' accounts have turned instead to pulling funds from their targets to accounts they have already fully compromised.......
Alleged RuneScape Account Thief Arrested (November 30, 2009)
Police in the UK have arrested a man for allegedly stealing RuneScape virtual characters and their possessions.......
Microsoft Looking Into Black Screen Problem (November 30, 2009)
Microsoft is investigating reports that security updates it released in November are causing black screens on some users' computers.......
Zeus Trojan Spreading Through Drive-by Download (November 30, 2009)
The Zeus or Zbot Trojan horse program is now spreading through drive-by download.......
Royal Navy Investigating Loss of USB Stick (November 29 & 30, 2009)
The Royal Navy is investigating the loss of a USB stick containing sensitive information.......
Restaurants Suing Point-of-Sale Vendor After Customer Cards Compromised (November 27 & 30, 2009)
Seven restaurants in Louisiana and Mississippi are suing point-of-sale vendor radiant for failing to provide adequate security precautions.......
UK Home Secretary Denies McKinnon's Extradition Appeal (November 27 & 30, 2009)
UK Home Secretary Alan Johnson has denied alleged hacker Gary McKinnon's appeal to avoid extradition to the US.......
Alleged Filesharers in UK to Receive Warning Letters (November 27, 2009)
ACS:Law Solicitors plans to send letters to as many as 15,000 alleged filesharers warning them that they are suspected of illegal activity.......
Payment Card Data Thieves Target Machine in Downtown Auckland (November 26 & 27, 2009)
Payment card fraudsters appear to have compromised payment machines at an Auckland, New Zealand car park to allow them to steal payment card account information.......
Former United Way Employee Sentenced for Computer Damage (November 24 & 27, 2009)
Luis Robert Altamirano has been sentenced to 18 months in federal prison for damaging the computer system of United Way of Miami-Dade.......
BSA Temporarily Doubles Maximum Reward for Information About Illegal Software (November 24 & 25, 2009)
The Business Software Alliance (BSA) has increased its maximum reward for reporting unlicensed software use in London.......
EXTRAS: Is The Cyber Threat To The Critical Infrastructure Real?
A study is underway of public attitudes and data on the importance of cyber threat to the critical infrastructure.......
EXTRAS: NIST 800-37 Ends the Era of Federal Certification & Accreditation
- Excellent Beginnings - One More Step To Go.......
Attacks Against Defense Dept. Systems On the Rise (November 20 & 23, 2009)
According to the US-China Economic and Security Review Commission's annual report to Congress, US Defense Department (DoD) computer systems have been the target of cyber incidents 43,785 times in the first half of 2009; if the trend continues, cyber attacks against DoD systems will increase 60 percent over last year.......
Pump-and-Dump Spammers Sentenced to Prison (November 23, 2009)
A US District judge in Detroit today handed down prison sentences ranging from 32 months to 51 months to four men involved in a spamming stock fraud scheme.......
Climate Research Documents Stolen and Posted to Internet (November 20 & 21, 2009)
Attackers broke into computers at the Climatic Research Unit of the University of East Anglia in Britain and stole thousands of emails and other documents which they then posted to the Internet.......
Cross-Site Scripting Flaw in IE 8 (November 23, 2009)
A cross-site scripting (XSS) vulnerability can be exploited to allow attacks on web pages that are otherwise safe.......
Zero-Day Flaw in Internet Explorer 6 and 7 (November 22 & 23, 2009)
Microsoft has acknowledged the existence of a zero-day flaw in older versions of Internet Explorer (IE).......
iPhone Worm Steals Banking Data, Enlists Devices in Botnet (November 23, 2009)
A worm targeting jailbroken iPhones is designed to steal online banking login credentials.......
Hancock Fabrics Customers Reporting ATM Fraud (November 23, 2009)
A rash of fraudulent ATM withdrawals is believed to be connected to victims' previous transactions at Hancock Fabrics stores in California, Wisconsin and Missouri.......
New Version of Opera Browser Addresses Serious Security Issue (November 23, 2009)
Opera has released version 10.......
Accident Victim Data Leaked From Las Vegas Hospital (November 21, 2009)
The FBI is looking into an alleged breach of privacy law at University Medical Center in Las Vegas, Nevada.......
SANS Internet Storm Center, InfoCON: green
Java JRE Buffer and Integer Overflow, (Sat, Dec 5th)
Sun acknowledged that multiple buffer and integer overflow vulnerabilities exist in the Java Runtime ...(more)...
Disregard INFOCON change notifications just sent - we had a glitch on the main server, (Fri, Dec 4th)
...(more)...
The economics of security advice (MSFT research paper), (Fri, Dec 4th)
A new research paper by Microsoft examines the economics of security advice and how user ...(more)...
Max Power's Malware Paradise, (Fri, Dec 4th)
Who Max Power is? Well, we don't know either. It's a pseudonym of a gang or guy who has a decent-si ...(more)...
Seems that Bing has come back up. Thank you all., (Fri, Dec 4th)
-- Joel Esler | http://blog.joelesler ...(more)...
Next week will be a big patch week - Adobe is also releasing patches "Adobe is planning to release an update for Adobe Flash Player 10.0.32.18 and earlier versions, and an update to Adobe AIR 1.5.2 and earlier versions, to resolve critical security issues, (Thu, Dec 3rd)
...(more)...
Apple released some Java updates today APPLE-SA-2009-12-03-1 & 2 (for 10.5 and 10.6). Fixes a number of security issues so updating is a good idea., (Thu, Dec 3rd)
...(more)...
Avast false positives, (Thu, Dec 3rd)
We have received a number of reports of Avast Antivirus false positives (Thanks Ken, Don,  ...(more)...
SPAM and Malware taking advantage of H1N1 concerns, (Wed, Dec 2nd)
Gary writes in, telling us of a recent spike in SPAM with a title similar to State Wide ...(more)...
Updates to Sysinternals Toolkit, (Wed, Dec 2nd)
Roseman tells us of updates to the popular Sysinternals toolkit. This round includes updates t ...(more)...
Microsoft Black Screen of Death - Fact of Fiction?, (Wed, Dec 2nd)
We've had a lot of interest in the drama unfolding around Prevx's announcment on Nov 27 that they ha ...(more)...
Vulnerabilities in the PDF distiller of the BlackBerry Attachment Service , (Tue, Dec 1st)
Brian and Francois let us know about a new vulnerability in the PDF distiller of the BlackBerr ...(more)...
Clientless SSL VPN products break web browser domain-based security models, (Tue, Dec 1st)
Matt sent a note pointing to a new advisory issued by US-CERT By convincing a user to view a ...(more)...
Distributed Wordpress admin account cracking, (Mon, Nov 30th)
One of our readers, catlu, found a very interesting script in one virtual private server (VPS), ran ...(more)...
A Cloudy Weekend, (Sun, Nov 29th)
There are times, like over a long US Holiday weekend leading up to your Handler duty shift, you get ...(more)...
Microsoft Security Advisory (977981), (Thu, Nov 26th)
Further information has been released regarding Microsoft Security Advisory (977981), previously rep ...(more)...
What Are You Thankful For?, (Thu, Nov 26th)
On this day of Thanksgiving in America, I'd like to take the opportunity, and give you the readers t ...(more)...
Updates to my GREM Gold scripts and a new script, (Wed, Nov 25th)
And finally, before those of us in the US trip out on tryptophan tomorrow, I've updated a few of the ...(more)...
Microsoft Updates requiring reboot, (Wed, Nov 25th)
We've been informed by several readers that they've received updates from Microsoft in the last 24 h ...(more)...
Tool updates, (Wed, Nov 25th)
Rather than do 4 one-liners in a row, I'll just do this one regular story. A number of our fav ...(more)...
The ISC and DShield websites will be unavailable on Wednesday Nov 25th from 8-8:30 am EST., (Tue, Nov 24th)
------ Johannes B. Ullrich, Ph ...(more)...
BIND Security Advisory (DNSSEC only), (Tue, Nov 24th)
The other ISC (Internet Systems Consortium) has released a security advisory on BIND and security pa ...(more)...
The Register - Security
Biting the hand that feeds IT
Germans devise attacks on Windows BitLocker
Industrial espionage drive decryption
German researchers have devised five methods that determined attackers can use to bypass hard-drive encryption in recent versions of Microsoft operating systems.…
Case Study: WhatsUp keeps Legoland turnstyles ringing
Accused phone thief snared after phone sends pic to victim
(Self)-portrait of the suspect as a dumb man
A Philadelphia teenager turned himself into police after his self-portrait was captured on a cell phone he's accused of stealing during an armed robbery.…
Attack exploits just-patched Mac security bug
Fix my browser, fan pleads
If you haven't installed the latest security update for Mac OS X, now would be a good time.…
Zero-day Adobe bug overshadows impending Flash fix
Illustrator illin'
Fears over a reportedly unpatched flaw in Adobe Illustrator have been heightened by the release of exploit code.…
PayPal mistakes own email for phishing attack
'You're right, it does look suspicious'
Banks and financial institutions are fond of lecturing customers about the perils of phishing emails, the bogus messages that attempt to trick marks into handing over their login credentials to fraudulent sites. Yet many undo this good work by sending out emails themselves that invite users to click on a link and log into their account rather than going a safer route and telling users to use bookmarked versions of their site.…
Zero-day IE fix stars in last Patch Tuesday of the decade
Critical Office and Win updates also lined up
Microsoft is lining up a fix for a zero-day vulnerability in Internet Explorer as part of the decade's last ever Patch Tuesday update.…
Two US men charged with running phony Cisco biz
Fake serial numbers in alleged $1m haul
Two Kansas men have been charged with making $1m in proceeds by buying computer networking gear in China and passing it off as products from Cisco Systems.…
Man loses fight against firm that suffered data breach
Harm? What harm?
A Missouri man has lost his legal battle against an online prescription processor that suffered a security breach that exposed highly sensitive subscriber information.…
Linux kernel cured of remote panic-attack bug
Get your BUG_ON
Developers of the Linux kernel have patched a bug that allowed attackers to remotely crash a machine by sending it malicious Wi-Fi signals.…
MS honeypot research sheds light on brute-force hacks
An idiot's guide to stronger passwords
Microsoft's honeypot-based research has highlighted common password mistakes, as well as shedding light on automated hacking techniques.…
UK police take down fake designer goods sites
Del Boys swept out of .co.uk domains
UK police have completed a massive take-down operation, after targeting scam websites selling fake designer goods.…
Malware derails Indian business school admission tests
Politician wade in as exams for 8,000 applicants postponed
A malware infection has screwed up plans for Indian business schools to run admission tests online for the first time.…
EFF seeks answers from Facebook police
Surveillance 2.0
As law enforcement agents increase their reliance on Facebook and MySpace to nab suspects, legal watchdogs are demanding that officials disclose exactly how they use social networking sites.…
Sequoia opens kimono with e-voting code handout
'Completely reversed'
Sequoia Voting Systems has become the first electronic voting machine maker to publish the source code used in one of its systems, a move that computer scientists have praised.…
Facebook goes live with privacy revamp
Is there an 'enemy of my enemy' setting?
Facebook has revamped and simplified its privacy controls.…
Cameroon leapfrogs Hong Kong in malware hosting blocklist
One in three .cm domains booby-trapped, warns McAfee
Cameroon (.cm) web domains supplanted those in Hong Kong as most likely to harbour malware, with more than one in three (36.7 per cent) of domains registered in the West African country hosting viruses or malicious code.…
PrevX U-turn on Windows update Black screen of Death claim
Paint IT black
Updated PrevX has backtracked on earlier claims that a Windows update caused Windows machines to lock up with a so-called "Black Screen of Death".…
UK mulls extension of McKinnon judicial review period
Refusal to step in branded 'spineless'
Alan Johnson said he may grant Pentagon hacker Gary McKinnon extra time to apply for judicial review of his US extradition case, but the home secretary insisted he was powerless to stop the forced transfer.…
Malicious PDFs can commandeer BlackBerry Servers, RIM warns
Patch available
Attackers can commandeer your BlackBerry servers by attaching maliciously formed PDF files to emails, Research in Motion warned Tuesday.…
Foodies sue providers of hacked payment system
Breaches R Us
A group of restaurants is demanding millions of dollars in damages from two companies accused of selling point-of-sale terminals that exposed customer data to criminal hackers.…
Russian ransomware blocks net access
New social engineering wheeze appears in east
Miscreants have developed a ransomware package that blocks internet access in a bid to force infected users into paying up by sending a text message to a premium rate SMS number, lining the pocket of cybercrooks in the process.…
Anti-spammers urged to gang up
Test suggests collaboration is the way to fight the wrong'uns
The combined efforts of anti-spam products outperform any individual products alone, according to an experiment by Virus Bulletin, the independent security certification organisation.…
Extra spam and malware security for bit.ly
Sophos, VeriSign and Websense to provide belt and braces
Bit.ly has partnered with security firms to bolt improved anti-spam and malware protection onto the URL shortening service.…
Privacy fears prompt Fry to quit Plaxo
A bit of Fry and worry
Stephen Fry has quit Plaxo after he became annoyed that the social networking site was revealing what he sees as too many personal details with anyone visiting the site - as opposed to designated contacts.…
FreeBSD bug gives untrusted root access
'Unbelievably simple' exploit
A security bug in the latest version of FreeBSD can be exploited to grant unprivileged users complete control over the operating system, a German researcher said Monday.…
Cisco and Juniper 'clientless' VPNs expose netizens
No cure for authentication bypass
Virtual private networking software from Cisco Systems, Juniper, and other manufacturers can make users susceptible to a variety of web-based attacks, the US Computer Emergency Readiness Team warned on Monday.…
Prolific penis pill pushers fined almost $19m
At last
Federal authorities have imposed almost $19m in fines on an enterprise accused of spamming the world with billions of emails advertising male-enhancement pills and other pharmaceuticals.…
Web service automates WordPress password cracking
Malefactors debut Hacking as a Service
Hackers have developed a distributed Wordpress admin account cracking scheme that poses a severe risk for the security of blogs whose owners select insecure passwords.…
Prevx blames Microsoft for black hawk screen down
Patches bestow chocolate teapot status on Windows PCs
Microsoft’s most recent release of security patches is causing some computers to freeze and display a, er, black screen of death.…
Gervais pic used in amusingly rubbish failed bank fraud
Berks borrowed Brent's boatrace but blew it
Crooks tried to impersonate Ricky Gervais by using a picture of The Office character David Brent mounted in a counterfeit passport as part of a comically inept attempt to withdraw a large sum from the comedian's bank account.…
Notts County Council sprays £82k on PC smut trawl
Funding gap plugging boob
As Nottinghamshire County Council gets ready to issue hundreds of redundancy notices to staff in an effort to plug a £30m gap in its finances, it is also spending six-figure sums on an anti-porn crusade.…
IBM poised to acquire database security start-up for $225m
Guardium makes Big Blue sweat before signing
IBM is set to buy database security firm Guardium for $225m.…
Web host Daily recovers after Tux-themed defacement
Lock-down follows cartoon penguin attack
UK-based web host Daily has largely restored services following an apparent hack attack on Thursday that replaced content on some sites it hosts with pictures of cartoon penguins.…
Smut-ladened spam disguises WoW Trojan campaign
Pwned and porned
A malicious spam campaign that attempts to harvest online game passwords under the guise of messages containing smutty photos is doing the rounds.…
Toshiba worker arrested for selling copy limit busting SW
You can't do that in Japan
A Toshiba employee in Japan has been arrested for selling copy limit breaking software, letting buyers copy digital TV programmes on Japanese recording and playback products as much as they liked.…
McKinnon family 'devastated' by Home Sec's latest knock-back
Options running out for 'suicidal' Pentagon hacker
Solicitors for Pentagon hacker Gary McKinnon are planning a 11th-hour judicial review after Home Secretary Alan Johnson decided new medical evidence was insufficient reason for him to step in and block US extradition proceedings.…
Gov net disconnections could breach EU law
May scupper free Wi-Fi too
The Government's Digital Economy Bill could be in breach of EU laws, according to an internet law expert. Professor Lilian Edwards has also warned that the Bill could make it impossible to operate a free wireless network legally.…
Splinter Cell hack smells more like publicity stunt
Pwn or PR?
Ubisoft said that the website of its popular video game Splinter Cell had been hacked on Thursday. However circumstantial evidence suggests the hack is more likely to be a publicity stunt than a genuine cyber assault.…
Johnson refuses to intervene in McKinnon extradition
'No discretion' says Home Sec
Gary McKinnon could be extradited to the US to face hacking charges before Christmas, after the Home Secretary declared he would not be intervening in the case.…
Facebook swipes user's vanity URL
I am not a number, I am a squaresheep! Or not
Analysis Facebook's recently introduced vanity URLs may be a handy function for many, but the offer to distinguish users' profiles with names rather than numbers is not unconditional.…
iPhone developer hires worm author
Strewth!
An Australian mobile application developer has hired the creator of the first iPhone worm, Ashley Towns, as a software developer.…
US Military cyber forces on the defensive in network battle
Operation Screaming Whimpering Fist
The US 24th Air Force - the first dedicated American military cyber force to go operational - is "not yet a warfighting organisation" and needs to "create an awareness of the battlespace", according to its commander.…
iPhone anti-malware stuck in state of denial
Not needed, says Apple. Won't run, say developers
The blaze of publicity that accompanied the release of the first iPhone worms this month has sparked interest in selling anti-malware products for the device. However no such security products currently exist and Apple shows little inclination in licensing any that do get developed.…
The rise of targeted attacks
Expert musings that hit the spot
Webcast Earlier this month Paul Wood of MessageLabs joined Freeform Dynamics’ Jon Collins in the Reg studio to discuss targeted attacks and their affect on the modern business.…
Climate change hackers leave breadcrumb trail
Is anyone looking?
The hackers who leaked more than 1,000 emails from one of the top climate research centers may have used an open proxy to cover their tracks, but that doesn't mean authorities can't figure out who they are.…
The power of collaboration within unified communications
Bug puts net's most popular DNS app in Bind
Rare but remote
Makers of Bind have warned of a security vulnerability in versions of the domain name resolution application that could allow attackers to trick servers into returning unauthorized results.…
MS unleashes legal attack dogs to lick up COFEE spill
Cryptonomicon
Microsoft unleashed its legal attack dogs to remove its leaked forensics tool from a respected security site, it has emerged.…
Network World on Security
The latest security news, analysis, reviews and feature articles from NetworkWorld.com.
HSBC exposed sensitive bankruptcy data
HSBC Bank says a bug in its imaging software inadvertently exposed sensitive data about some of its customers going through bankruptcy proceedings.
Researcher says iPhone data model could lead to malware
If you're feeling whiplash over the state of iPhone security, you're in good company. Last month, the first iPhone worms were reported, which either rickrolled your iPhone with a background picture of Mr. Astley, or did far worse things to your software and data. But the only people who were vulnerable were people who had jailbroken their phones, turned on SSH services, and neglected to change their root password. And we all know that people who use default root passwords are silly, right?
20 mobile trends and future technologies
Spokespeople from Info-Tech Research Group Ltd., Advanced Micro Devices Inc., Sony Corp. and Research in Motion Ltd. provided food for thought on upcoming uses for mobile devices at a Technology Town Hall meeting in Toronto Tuesday.
DoD nixes vendor of online monitoring software over privacy concerns
A vendor of parental control software that is already under fire for alleged violations of an online children's privacy law, has been suspended from selling its products on a Department of Defense shopping portal because of privacy concerns.
Fortinet secures remote and branch office environments
Fortinet, a network security and unified threat management (UTM) solutions provider, has launched a new FortiGate multi-threat security appliance for remote office and branch office (ROBO) environments.
Cell phone subterfuge produces nation of spies
Location, location, location -- it's not merely the key to success in retail. It's also the key to your privacy -- or what little is left of it. And that too is rapidly disappearing, thanks to that wondrous gizmo you probably carry with you at all times: the cell phone.
Experts Not Surprised By iPhone Malicious App Report
Malicious iPhone apps that Apple unwittingly approves could attack even non-jailbroken iPhones, according to a developer, but security experts say this isn't earth-shattering news.
No harm, no foul, says judge in Express Script data breach case
A federal court in Missouri has thrown out a consumer class-action lawsuit that was brought against pharmacy benefits company Express Scripts over a 2008 data breach in which millions of customer records were believed to have been illegally accessed.
Thanksgiving webcam promo leads to malware
The US$10 webcam that Anna Giesman bought her daughter at Office Depot over the Thanksgiving weekend sounds like one of those deals that's too good to be true. And for her, it was.
CDT launches campaign to help consumers demand privacy
The Center for Democracy and Technology has launched a new consumer privacy campaign with the goal of empowering Internet users to take control of their privacy.
Online Privacy Campaign Site Kicks Off
A new site dedicated to improving online privacy launched today with a tool for filing a complaint with the Federal Trade Commission, along with information about your privacy rights - or lack thereof.
Google Public DNS: What It Means For Your Privacy
Google's expanding its grasp on the Internet with a newly revealed DNS resolving service. Google Public DNS, announced Thursday on Google's blog, will offer you an alternative way to connect to Web sites.
New study calls for cybersecurity overhaul in U.S.
The U.S. government and private businesses need to overhaul the way they look at cybersecurity, with the government offering businesses new incentives to fix security problems, the Internet Security Alliance said.
With new attack released, Adobe to patch next week
Adobe Systems' security response team is scrambling to fix a newly disclosed bug in its Illustrator software, even as it readies another security patch for next week.
Microsoft to patch IE zero-day bug next week
Microsoft today said it will deliver six security updates on Tuesday, including one that will patch a vulnerability in Internet Explorer (IE) the company admitted only last week.
Securing Your iPhone Jailbreak
Between the harmless but cautionary Rickrolling worm and the much less friendly iPhone/Privacy.A worm that was able to access personal data without any indication, iPhone jailbreaking has been getting a lot of coverage lately- though not necessarily the kind of coverage the community wants or needs. On top of the recent influx of worms, jailbreakers also have to worry about Apple's repeated attempts to shut it all down via software and hardware updates, as well as all the usual security issues that any wi-fi enabled mobile device may be susceptible to. To those who have already jailbroken, or are considering making the jump- fear not! Your jailbroken iPhone can be just as, if not even more secure than
Facebook plans site changes
Facebook has issued an 'An Open Letter from Facebook Founder Mark Zuckerberg,' updating users on changes ahead for the popular service.
Lawsuit seeks information on federal surveillance of social networking sites
The Electronic Frontier Foundation and the University of California, Berkeley have filed a lawsuit against six government agencies, seeking information on their use of social networking sites for data collection and surveillance.
Malware messes up India's online test for business schools
The move by India's top business schools to take their CAT entrance test online turned embarrassing after malware-infected computers left a number of students unable to take the test.
Fighting fraud with social network analysis
Fraud from organized criminal groups hurts financial institutions the most, the best way to fight a criminal network is to take it down as an organization and analytics software helps institutions do this by providing insight into the big picture, according to Chris Swecker.
Fake Swine Flu Emails Lead to Real Malware Infection
A new malware campaign uses faked e-mails that appear to inform of H1N1 vaccination programs from the Centers from Disease Control, but actually attempts to install the Zeus Trojan.
RIM to BlackBerry Admins: Beware New BES Security Flaw
BlackBerry-maker Research In Motion (RIM) has issued a critical security advisory related to a flaw in its BlackBerry Enterprise Server (BES) software that could enable hackers to execute malicious code and hijack infrastructure. The vulnerability is currently ranked as both a 9.2 and 5.7 on a scale of 0 to 10, with 10 representing the most critical flaws.
Why Privacy Concerns are Ruining Facebook
Facebook was built as a powerful social connector, allowing users to befriend others with similar interests, locations, schools, and more. But as privacy concerns mount and users demand more protection, the social networking site's philosophy has started to go down the toilet. Now that Facebook is eliminating regional networks -- or groupings of people based on where they live -- it's becoming apparent that proclivities lean towards building fences rather than crossing them.
Sprint Admits Giving GPS Data to the Government
There was a time, I suspect, when this news would've been a very big deal: Sprint turned over customers' GPS whereabouts to law enforcement 8 million times over the last year. But today, very few people seem concerned about the revelation.
Black Screen of Death: A Lesson in FUD
The reports of the Windows "black screen of death" seem to be greatly exaggerated and hardly worth mentioning. The FUD (fear, uncertainty, and doubt) and sensationalism that have surrounded the issue are a bigger story than the actual black screen of death at this point, and highlight the need for clear communication and ethical disclosure.
Three Tips to Avoid the Windows Black Screen of Death
It doesn't take much to ignite FUD (fear, uncertainty, and doubt) against Microsoft--especially with news of a critical flaw affecting Windows 7. News that a Microsoft update is causing "millions" of PC's to experience a "black screen of death" is both exaggerated and wrong. Apparently, its much ado about nothing.
New Facebook Privacy Controls Just Weeks Away
Remember those privacy changes that Facebook announced last July? They are about to be implemented across the network, Facebook founder Mark Zuckerberg said in an open letter posted on the site.
Restaurants sue vendors after point-of-sale hack
When Keith Bond bought a computerized cash register system for his Broussard, Louisiana, restaurant, he thought he was modernizing his restaurant. Today, he believes he was unwittingly opening a back door for Romanian hackers who have now cost him more than US$50,000.
Cloud identity service gets provisioning, management
Cloud identity provider Symplified Tuesday added provisioning and management capabilities to its service platform that lets users bridge between their in-house directories and cloud-based applications.
Keep an eye on temps, and other holiday season security tips for retailers
Temporary workers brought in to help during the busy holiday shopping season can sometimes pose a security risk for retailers.
Microsoft denies blame for 'black screens of death'
Microsoft today denied that its November Windows updates are causing a widespread "black screen" lock-out of users' PCs.
Microsoft: Don't Believe the Black Screen of Death Hype
Move over, BSOD: There's a new screen of death in town. The frightful-sounding "black screen of death" is striking Windows machines worldwide, if recent media reports are to be believed, and Microsoft itself is the one who unleashed the beast.
Pub fined £8,000 after Wi-Fi used for illegal downloads
A pub has been fined £8,000 after a web users used its Wi-Fi connection to illegally download copyrighted material.
Northrop Grumman launches cybersecurity research group
Government security contractor Northrop Grumman has joined with three leading cybersecurity research universities to launch a research consortium focused on fixing the most vexing problems in information security.
Securuty review: Good riddance to 2009
Looking back at 2009, I'm sure I will not be alone in celebrating the end of the year with gusto. 2009 was a difficult year for most, with a slow recovery and challenging business conditions. Let's see how I did predicting security trends in 2009.
Cloud security service looks for malware
Webroot Tuesday announced it has extended its cloud-based Web security service, adding a way to filter outbound as well as inbound Web traffic, monitoring for threats in order to detect and block malware such as botnets that have infected computers.
Scammers get better tools for tapping social networks
New tools capable of quickly finding, gathering and correlating information about individuals from social networking sites and other public sources are giving online scammers a powerful new weapon, say security researchers.
Microsoft investigates Windows 'black screen of death'
Microsoft today confirmed that it is looking into reports that November's security updates have triggered a black screen on some Windows users' PCs.
Court orders spam network to pay $15.2 million
A U.S. district court judge has ordered the largest "spam gang" in the world to pay nearly US$15.2 million for sending unsolicited e-mail messages marketing male-enhancement pills, prescription drugs and weight-loss supplements, the U.S. Federal Trade Commission said Monday.
IBM buys database security firm Guardium
IBM has acquired database security vendor Guardium, it said Monday, confirming earlier reports. Terms of the deal were not disclosed.
Capsa Keeps Tabs on Your SMB Network
Capsa Network Analyzer Professional Edition (various pricing; free, feature-limited, 15-day demo) is a powerful tool for network monitoring. It is not a tool for home users, unless they're very unusual; this is a program aimed at those whose job includes knowing what's going on with their network at an extremely technical level. It's a good fit for a small or medium-sized business. Often, getting the kind of information this program delivers requires PERL scripts and deep command-line voodoo; Capsa displays and sorts it all in a surprisingly intuitive way. What it doesn't do, of course, is provide the training needed to interpret the data. If DNS, SMTP, and IPV6 sound more like bad Scrabble draws than technical terms, Capsa probably isn't a tool you will find useful.
Call for jail sentences after police hand over information
The Information Commissioner has called for tougher penalties over the reckless misuse of data, after police officers were found to have wrongly handed over sensitive data to dangerous individuals.
The Fruit of the Poisoned Tree
Should we hire criminal hackers as security experts? This is the second of a two-part attack on the idea from a 1995 debate in which I participated.
Home Secretary says McKinnon must face US trial
Computer hacker Gary McKinnon looks set to face trial in the US after Home Secretary Alan Johnson said there were no grounds to prevent his extradition.
New malware scam targets Twilight fans
PC Tools' Malware Research Center has warning web users of another online scam hoping to piggyback on hype surrounding the new Twilight New Moon film.
Ikee iPhone worm hacker lands lucrative job
The hacker who created the Ikee iPhone worm because 'he was bored', may be smarter than he first appeared. Ashley Towns has shown no regret over writing the bug, but he has subsequently landed a job with an Australian company that develops legitimate iPhone apps.
China warns about return of destructive Panda virus
A computer worm that China warned Internet users against is an updated version of the Panda Burning Incense virus, which infected millions of PCs in the country three years ago, according to McAfee.
Home Secretary rebuffs Gary McKinnon's extradition plea
Gary McKinnon, the man accused of hacking into the NASA and Pentagon IT systems in 2001 and 2002, has been dealt another blow in his fight against extradition to the U.S.
Vendor rages after iPhone hacker given job
A security firm has expressed incredulity at the news that the Australian prank hacker who wrote a program targeting Apple iPhone users has been given a job by an application developer.
Viviane Reding picked to re-write EU data protection laws
Viviane Reding, the European Commissioner who for the past five years has championed consumer rights in the telecommunications and IT arenas, has been picked to take charge of a re-write of the European Union's 15-year-old data protection laws due to start next year.
Hack In The Box heading to Holland
The organizers of the Hack In The Box security conferences in Malaysia are planning their first European show for Amsterdam next July.
India to set up automatic monitoring of communications
India plans to set up a centralized system to monitor communications on mobile phones, landlines and the Internet in the country, a minister told the Rajya Sabha, the upper house of Parliament, on Thursday.
Data-leak lessons learned from the 'Climategate' hack
In case you've missed it, someone recently dumped a large cache of e-mail files and documents from the University of East Anglia University's prestigious Climactic Research Unit onto the ‘Net. The CRU is one of the leading climatology research institutions, and its data and models provide much of the infrastructure on which the theory of anthropogenic global warming (AGW) is based.
Sept. 11 pager messages published online
The pager message is from a woman near a pay phone near 38th Street in New York City on Sept. 11, 2001. The woman says her children were evacuated, but she's trying to find them. She tells her husband she loves him.
Attacks appear imminent as IE exploit is improved
Hackers working on the open-source Metasploit project have spiffed up a zero-day attack on Microsoft's Internet Explorer, making it more reliable -- and more likely to be used by criminals.
Metasploit releases IE attack, but it's unreliable
Developers of the open-source Metasploit penetration testing toolkit have released code that can compromise Microsoft's Internet Explorer browser, but the software is not as reliable as first thought.
SANS official talks security
This is the second of two parts of an interview of Stephen Northcutt by technologist David Greer.
Telecommunications Act changes backed by forensics expert
A call for intercepted data to be destroyed "as soon as it is no longer required" has been described as shortsighted by the director of one of the country's leading forensic computer labs. The call is part of the Greens’ opposition to amendments to the Telecommunications Interception Act, which was tabled in the Senate.
Man pleads guilty to selling fake chips to U.S. Navy
A 32-year-old California man has pleaded guilty to charges that he sold thousands of counterfeit chips to the U.S. Navy.
Redirecting DNS requests can harm the Internet, says ICANN
ICANN (Internet Corporation for Assigned Names and Numbers) on Tuesday condemned the practice of redirecting Internet users to a third-party Web site or portal when they misspell a Web address and type a domain name that does not exist.
Freenet Lets You Browse the Web Freely
Large swaths of the world are subject to censorship, or else track their citizens' use of the Internet. Free program Freenet lets you anonymously browse the Web, share files, chat on forums, and more--no matter where you are. Download and run the software, and you become part of a decentralized P2P network that uses encryption and other tools to keep you hidden and anonymous. As you browse, your data is encrypted and sent through a series of Freenet nodes, making it very difficult to track you.
Securely Wipe a Dead Hard Drive
Dwma needs to return a dead hard drive to the manufacturer, and asked the Answer Line forum for a way to first remove sensitive data.
Microsoft adds identity to cloud
Everyone eyeing Microsoft's Azure, their candidate for cloud-based computing, can at least agree on one thing: Redmond is late to the party that's dominated by Salesforce.com, Google, Amazon and a host of others. How can they hope to differentiate themselves?
Panda Antivirus Pro 2010: A Fair Performer
Panda Antivirus Pro 2010 ($50 for a one-year, three-PC license) ranks fifth in our current roundup of 11 stand-alone antivirus apps. It was buoyed by positives such as strong traditional malware detection, but dragged down by negatives like poor behavioral scans.
BitDefender Antivirus 2010
BitDefender Antivirus ($30 for a one-year, three-PC license) holds its own at dealing with malware, but its interface isn't especially user-friendly. Overall the program earned fourth place in our roundup of stand-alone antivirus programs.
Kaspersky Anti-Virus 2010
Kaspersky's third-place ranking in our roundup of stand-alone antivirus programs reflects its ability both to impress and to disappoint. It pairs competent proactive protection with below-average signature detection, and a strong feature set with an at-times annoying user experience.
Symantec Norton AntiVirus 2010
Symantec's Norton AntiVirus ($40 for a one-year, single-PC license) offers some terrific extra features and a polished user interface. But subpar performance in one detection category prevented it from capturing the top spot in our chart of stand-alone antivirus programs.
Top Protection: G Data AntiVirus 2010
Most security programs use a single antivirus engine, but the German-made G Data ($25 for a one-year, single-PC license, as of 11/20/09) uses two separate engines: BitDefender and Avast. That double coverage may have helped it rack up an impressive 99.95 percent block rate for traditional, signature-based detection of known malware, a rate better than that of any other app we tested. It was likewise strong at blocking annoying adware, running up a 99.8 percent score, and these strengths helped it earn top billing.
Microsoft issues security advisory on IE exploit, patch in works
Microsoft Monday night issued a security advisory that provides customers with information and guidance on how to deal with the zero-day exploit aimed at Internet Explorer.
25% of office workers would steal company data
A quarter of office workers would steal sensitive company data if they thought it would help a friend or family member in securing a job, says CyberArk.
Facebook Blocks Raunchy Worm
Facebook has reportedly blocked an exploit propagating on the social networking site, which spreads when users click to see a revealing photo of a woman.
'Godfather of Spam' sentenced to four years in prison
One of the most notorious U.S.-based spammers was sentenced to more than four years in jail on Monday for a scheme that used spam to manipulate stock prices in order to make a profit.
Facebook worm spreads with a lurid lure
Some Facebook users have been infected with a worm after clicking on an image of a scantily clad woman, which then redirects the victims to a pornography site, according to security researchers.
McAfee Avert Labs
Cutting edge security research as it happens.......
Mapping the Mal Web: McAfee’s 3rd Annual Report
By Toralv Dirro on Web and Internet Safety
We have just released “Mapping the Mal Web,” our third report revealing the riskiest and safest web domains to surf and search. For the first time combining data from McAfee’s SiteAdvisor and TrustedSource, the report is even more comprehensive than last year’s, naming Cameroon (.cm) as the riskiest place to surf with a whopping 36.7 percent [...]
H1N1 Vaccination Profile – A path to infection
By Adam Wosotowsky on Web and Internet Safety
On December 1st McAfee Labs detected an outbreak of a spam mail pretending to be from the CDC and using the H1N1 virus to facilitate the distribution of a Zeus Trojan executable. The email claims that the CDC is requiring all people to fill out a “vaccination profile” online. This email has been associated with [...]
Get Rich Quick! Just In Time for the Holidays
By Sam Masiello on Web and Internet Safety
National unemployment rates over 10% and the pressures of the holiday shopping season make for a dangerous cocktail that the cyber criminals can take advantage of. Fears of not being able to pay the monthly mortgage, car payments, backed up bills, and providing for your children for the holidays have put many people into situations [...]
Boosting Security Awareness in Colleges
By Nitin Kumar on identity_theft
Security breaches, laptop theft, and identity theft happen all the time, and these crimes increase every year. The need for people to become more aware of their digital presence and the threats surrounding it is vital. The pace at which these threats increase is much faster than our awareness grows, making a bad situation. One way [...]
Koobface Worm Asks for Captcha
By Neha Joshi on Web and Internet Safety
We discussed in a recent blog how Google Reader has become an unwitting spam target. We now see the same behavior in a recent variant of Koobface. This variant uses the Google Reader page to host the malware. Once the user selects the Google link, a fake YouTube window appears, as shown below. When the user [...]
Highlights of Xcon 2009
By Bing Sun on General Computer Security
This is my fourth time to attend Xcon (the Xfocus Information Security Conference), and the third time as a speaker. Xcon is the biggest and most influential nongovernmental computer security technical conference in China. Actually for most Chinese security researchers it’s not only a technical event, but also a big party where they can meet [...]
Make Your Password Secure
By Adam Wosotowsky on Web and Internet Safety
No matter how sophisticated security gets, we still need to handle the basics properly. One of the most basic tasks is to create and use secure passwords. You need them to log onto your computer, reach internal applications, and enter just about every website you visit. They are pervasive in our connected world. But how many [...]
Zero-Day IE Exploit Coming to a Browser Near You
By Jon Paterson on Zero-Day
Information regarding another zero-day vulnerability in the Internet Explorer web browser affecting version 6 and 7 has been published as Proof-of-Concept over the weekend. The vulnerability lies in a missing check when accessing a website’s Stylesheet markup information through the „getElementsByTagName“ script method. The current PoC exploit uses heap-spraying to write the malicious shellcode to [...]
Fly for $1 or Your Money Back!
By Pedro Bueno on Web and Internet Safety
It is the time of year to get together with family and friends, and that often involves flying. So, how about a promotional airline ticket for just $1? That sounds like an irresistable idea! Though it also sounds too good to be true. As you can imagine, there is something wrong here. Instead of flying for [...]
COFEE Break Turns Messy
By Francois Paget on Web and Internet Safety
A common challenge of cybercrime investigations is the need to conduct forensic analysis on a computer before it is powered down and restarted. As some active system processes and network data are volatile and may be lost after the computer is turning off, investigators were in search of a tool that could assist them in [...]
Curiosity as a Malicious PDF
By Karthik Raman on Malware Research
What would you do if you saw an email in your inbox with a PDF named “U.S. ship thwarts second pirate attack November 18, 2009.pdf”? Would the title pique your curiosity? I hope not enough for you open the document! This PDF is the latest in the ugly line of exploit- and malware-ridden embedded PDFs that [...]
Malicious Java Applet Poses as Carrie Prejean Video
By Rahul Mohandas on Vulnerability Research
McAfee Labs has observed various spam runs exploiting the recent sensational Carrie Prejean news. The Prejean video is rapidly becoming one of the most searched-for topics ever on the net since the existence of the tape became common knowledge. Source: Google Trends Java applets provide everything from interactive features to web applications to advertisements. Since the birth [...]
InSecurity Complex
Keeping tabs on flaws, fixes, and the people behind them.
Defense Dept. pulls software over privacy issues
By Elinor Mills
EPIC complaint alleging privacy issues with Echometrix parental control software prompts Defense Department online store to pull the product.
Microsoft to plug critical IE hole targeted by exploit code
By Elinor Mills
Patch Tuesday will see fixes for 12 vulnerabilities in IE, Windows, and Office, three of which are critical.
Avast update falsely flags good apps as malware
By Elinor Mills
Czechoslovakia-based antivirus maker fixes security update that mistakenly identified good programs as a Trojan.
EFF sues feds for info on social-network surveillance
By Elinor Mills
After agencies fail to provide info requested on policies for using Twitter, Facebook, and other social networks in investigations, Electronic Frontier Foundation sues.
Fake CDC vaccine e-mail leads to malware
By Elinor Mills
AppRiver warns of scammers preying on public interest in the H1N1 vaccine through an e-mail purporting to come from Centers for Disease Control.
Building circuits, code, community at Noisebridge hacker space
By Elinor Mills
The Noisebridge hacker space offers sewing and Mandarin classes, soldering workshops, Internet-controlled front door access, and a server room with no door.
Info Security News
Carries news items (generally from mainstream sources) that relate to security.
Certifications are not a panacea for cybersecurity woes
Posted by InfoSec News on Dec 04
http://fcw.com/articles/2009/12/01/comment-castro-certification.aspx
By Daniel Castro
Commentary
FCW.com
Dec 01, 2009
As Congress debates legislation to improve cybersecurity, one
problematic idea that appears to have gained some traction is developing
a national certification program for cybersecurity professionals.
If certifications were effective, we would have solved the cybersecurity
challenge many years ago. Certainly more workforce...
Re: Wanted: A Smokey Bear for cybersecurity
Posted by InfoSec News on Dec 04
Forwarded from: hobbit (at) avian.org (*Hobbit*)
Today's malware risk is ...
Engineers who hacked into L.A. traffic signal computer, jamming streets, sentenced
Posted by InfoSec News on Dec 04
http://latimesblogs.latimes.com/lanow/2009/12/engineers-who-hacked-in-la-traffic-signal-computers-jamming-traffic-sentenced.html
By Shelby Grad
Los Angeles Times
December 1, 2009
Two L.A. traffic engineers who pleaded guilty to hacking into the city's
signal system and slowing traffic at key intersections as part of a
labor protest have been sentenced to two years' probation.
Authorities said that Gabriel Murillo, 40, and Kartik Patel, 37,...
Crooks 'too lazy' for crypto
Posted by InfoSec News on Dec 04
http://www.theregister.co.uk/2009/12/03/digital_forensics_encryption/
By Chris Williams
The Register
3rd December 2009
The widespread use of encryption by criminals - long feared by
intelligence and law enforcement agencies - has yet to materialise,
according to the man in charge of the country's largest digital
forensics unit.
Mark Stokes, head of the Metropolitan Police's Digital and Electronic
Forensic Services (DEFS), told The...
Secunia Weekly Summary - Issue: 2009-49
Posted by InfoSec News on Dec 04
========================================================================
The Secunia Weekly Advisory Summary
2009-11-26 - 2009-12-03
This week: 43 advisories
========================================================================
Table of Contents:
1.....................................................Word From...
Cisco, Juniper vulnerable to hacking
Posted by InfoSec News on Dec 04
Forwarded from: Simon Taplin <simon.taplin (at) gmail.com>
http://www.itweb.co.za/index.php?option=com_content&view=article&id=28597:cisco-juniper-vulnerable-to-hacking&catid=219:reuters
By Reuters
3 Dec 2009
The US government has identified flaws in equipment from four companies,
including Cisco Systems, that hackers can exploit to break into corporate
computer networks.
The Department of Homeland Security's US Computer...
A Call to Cyber Arms
Posted by InfoSec News on Dec 04
http://www.afcea.org/signal/signalscape/index.php/2009/12/a-call-to-cyber-arms/
By Maryann Lawlor
SIGNAL Scape
The official blog of
AFCEA International
and SIGNAL Magazine
12/02/09
Sherri Ramsay, director of the NSA's Central Security Service Threat
Operations Center, opened AFCEA's SOLUTIONS Series today by admitting
that the intersection of cyber, national and economic security has
changed the way her organization interacts with...
FBI's Chicago RCFL Receives Prestigious Accreditation
Posted by InfoSec News on Dec 04
http://www.fbi.gov/pressrel/pressrel09/chicago_rcfl120309.htm
Press Release
For Immediate Release
December 3, 2009
Washington D.C.
FBI National Press Office
(202) 324-3691
FBI's Chicago RCFL Receives Prestigious Accreditation
The American Society of Crime Laboratory Directors/Laboratory
Accreditation Board (ASCLD/LAB) recently accredited the Chicago Regional
Computer Forensics Laboratory (RCFL) in digital and multimedia evidence....
E2-labs' project Ethan dissected. Anatomy of a franchise proposal based on non-existing partnerships (UPDATED)
Posted by InfoSec News on Dec 02
http://www.zone-h.org/news/id/4731
[So maybe Peerbhoy wasn't trained by Zone-H from details here...
http://www.zone-h.org/news/id/4716 - More details about Peerbhoy,
http://www.infosecnews.org/hypermail/0903/16060.html - WK]
By Roberto Preatoni
Zone-H.org
22/11/2009
We received a notice that on WikiLeaks somebody uploaded an interesting
document. It's a PDF file, called Project Ethan (after Tom Cruise's
Mission Impossible caracther?) and it...
Call for Papers - you Sh0t the Sheriff 4 - Security Conference, Brazil
Posted by InfoSec News on Dec 02
Hello InfoSecNews readers,
The call for papers for the yStS (you Sh0t the Sheriff) conference is now
open!
The 4th edition will be, once again, held in Sao Paulo, Brazil, on May
17th, 2010.
INTRODUCTION
you sh0t the Sheriff is a very unique event dedicated to bringing cutting
edge topics to the top-notch Information Security Community in Brazil.
yStS mixes the highest quality presentations and speakers from all over the
globe, covering...
Cyber Warfare Command to Be Launched in January
Posted by InfoSec News on Dec 02
http://www.koreatimes.co.kr/www/news/nation/2009/12/205_56502.html
By Jung Sung-ki
Staff Reporter
The Korea Times
12-01-2009
The Ministry of National Defense will launch a cyber warfare command
next month, officials said Tuesday.
The command will conduct both defensive and offensive cyber operations
under the direction of the defense minister, they said.
Previously, the ministry had been considering establishing a cyber
command under the...
Metasploit Gets New Vulnerabilty Scanning Features
Posted by InfoSec News on Dec 02
http://www.darkreading.com/vulnerability_management/security/attacks/showArticle.jhtml?articleID=222000147
By Kelly Jackson Higgins
DarkReading
Dec 01, 2009
A new version Metasploit released today includes integrated
vulnerability scanning for the popular open source penetration testing
tool.
Rapid7, which recently purchased Metasploit, today announced both the
new version of Metasploit, 3.3.1, as well as a new free version of
Rapid7's...
Sequoia opens kimono with e-voting code handout
Posted by InfoSec News on Dec 02
http://www.theregister.co.uk/2009/12/02/sequoia_source_code_disclosure/
By Dan Goodin in San Francisco
The Register
2nd December 2009
Sequoia Voting Systems has become the first electronic voting machine
maker to publish the source code used in one of its systems, a move that
computer scientists have praised.
On Monday, the Denver, Colorado company released the first batch of code
for Frontier, an end-to-end e-voting system that it plans to...
Wanted: A Smokey Bear for cybersecurity
Posted by InfoSec News on Dec 02
http://fcw.com/articles/2009/12/02/smoky-bear-cybersecurity.aspx
By Amber Corrin
FCW.com
Dec 02, 2009
Cybersecurity has become more than a homeland security issue; it has
become a national lifestyle issue that hinges on raising education at
the individual level, a panel of information security experts said
today.
"If the U.S. is going to continue to be a center of innovation in the
world, we need to up our game. and get on par with...
The Fruit of the Poisoned Tree
Posted by InfoSec News on Dec 02
http://www.networkworld.com/news/2009/113009-criminal-hackers.html
By M. E. Kabay
Network World
12/02/2009
Should we hire criminal hackers as security experts? This is the second
of a two-part attack on the idea from a 1995 debate in which I
participated.
* * *
On a broader scale, consider the message you would be giving some
thirteen year old proto-hacker. These kids, like most kids, are
tremendously susceptible to peer pressure. They...
Restaurants Sue Vendor for Unsecured Card Processor
Posted by InfoSec News on Dec 01
http://www.wired.com/threatlevel/2009/11/pos/
By Kim Zetter
Threat Level
Wired.com
November 30, 2009
Seven restaurants have sued the maker of a bank card-processing system
for failing to secure the product from a Romanian hacker who breached
their systems.
The restaurants, located in Louisiana and Mississippi, have filed a
class-action suit against Georgia-based Radiant Systems for producing a
point-of-sale (POS) system that they say was...
Gilbert man loses job in case tied to alien-search software
Posted by InfoSec News on Dec 01
http://www.azcentral.com/news/articles/2009/11/30/20091130searchforaliens1202.html
By Emily Gersema
The Arizona Republic
Nov. 30, 2009
The search for intelligent life apparently has stopped for Brad
Niesluchowski.
Higley Unified School District records obtained by The Arizona Republic
show that Niesluchowski, of Gilbert, resigned in October after an
investigation into suspicious activity, including the use of a program
that searches...
I Was Wrong: There Probably Will Be an Electronic Pearl Harbor
Posted by InfoSec News on Dec 01
http://www.csoonline.com/article/509213/I_Was_Wrong_There_Probably_Will_Be_an_Electronic_Pearl_Harbor
By Ira Winkler
CSO
November 29, 2009
For 15 years now, I have been publicly lambasting all of those people
who have made their careers, or at least made fleeting news headlines,
based on their declaration of an imminent Electronic Pearl Harbor. My
disdain is based on several factors, but predominantly the lack of
accountability for such...
CERT Australia pushes on network security
Posted by InfoSec News on Dec 01
http://www.theaustralian.com.au/australian-it/cert-australia-pushes-on-network-security/story-e6frgakx-1225805518322
By Karen Dearne
The Australian
December 01, 2009
The new computer emergency response team, CERT Australia, will expect
internet service providers to be more active in cleaning up infected
computers operating on their networks.
Following the federal government's e-security review last year, the
Internet Industry Association...
The nation needs a clear cyber war doctrine
Posted by InfoSec News on Dec 01
http://gcn.com/articles/2009/11/30/cybereye-cyberwar-doctrine.aspx
By William Jackson
GCN.com
Nov 30, 2009
A recent study from McAfee on cyber crime and cyber warfare concluded
that, like it or not, the world.s information infrastructures are
becoming theaters of war, as nations develop offensive and defensive
capabilities to wage cyber warfare.
"Cyber weapons exist, and we should expect that adversaries might use
them," said...
Cyber crime danger
Posted by InfoSec News on Dec 01
http://www.fijitimes.com/story.aspx?id=134569
Fiji Times
November 30, 2009
THE Police Force has forecast cyber crimes to increase by 40 to 50 per
cent from 2010 to 2012.
Jemesa Lave of the police cyber crime unit said in these two years, it
was anticipated that more complicated technological crimes would be
perpetrated in Fiji.
Coupled with this, he said was the anticipated shift from conventional
criminal operations to cybercrime....
Priyanka's twitter update could be security threat
Posted by InfoSec News on Dec 01
http://www.mid-day.com/lifestyle/2009/nov/231109-Priyanka-Chopra-Twitter-account-Security.htm
[Ankit Fadia, India's uber hacking expert, appears to heavily promote
Viagra, or been hacked by evil spammers that found a way to subtlety
deface the web page. - http://attrition.org/errata/sec-co/fadia01.html - WK]
By Kumar Saurav
Mid Day
2009-11-23
Mumbai
Not just Priyanka Chopra, but any celebrity or public figure's Twitter
updates can...
State dinner crashers greeted President Obama
Posted by InfoSec News on Nov 29
http://www.washingtonpost.com/wp-dyn/content/article/2009/11/27/AR2009112702650.html
[First thought that came to mind after hearing this was the season
finale of Day 2 on '24' - President Palmer is shaking hands with many of
the onlookers, one of them being a woman hired in Day 1 to assassinate
Palmer. She slips a deadly virus into his hand, and President Palmer
collapses to the ground, panting. - WK]
By Jason Horowitz, Roxanne Roberts and...
Navy to investigate security breach
Posted by InfoSec News on Nov 29
http://www.guardian.co.uk/uk/2009/nov/29/navy-investigate-security-northern-ireland
By Henry McDonald
Ireland editor
The Observer
29 November 2009
Royal Navy investigators flew to Belfast last week after a memory stick
containing "restricted" information on naval manoeuvres and personnel
around the UK was reported missing.
The Observer has learnt that two senior detectives from the Royal Navy
Police's Special Investigation Branch...
Feds To Sharpen Cybersecurity Job Policies
Posted by InfoSec News on Nov 29
http://www.informationweek.com/news/government/policy/showArticle.jhtml?articleID=221900984
By J. Nicholas Hoover
InformationWeek
November 24, 2009
On the heels of a report that raised concerns about the competency of
cybersecurity pros at the Department of the Interior, the Office of
Personnel Management plans to develop better ways to ensure that the
federal cybersecurity workforce is up to snuff.
In a recent memo to federal HR directors,...
ITL Bulletin for November 2009
Posted by InfoSec News on Nov 29
Forwarded from: "Lennon, Elizabeth B." <elizabeth.lennon@ (at) nist.gov>
ITL BULLETIN FOR NOVEMBER 2009
CYBERSECURITY FUNDAMENTALS FOR SMALL BUSINESS OWNERS
Shirley Radack, Editor
Computer Security Division
Information Technology Laboratory
National Institute of Standards and Technology
U.S. Department of Commerce
Small businesses contribute significantly to the U.S. economy,
comprising over 95 percent of all businesses in...
US Air Force orders 2200 Sony PS3s
Posted by InfoSec News on Nov 29
http://www.reghardware.co.uk/2009/11/25/ps3_supercomputer/
By James Sherwood
RegHardware
25th November 2009
The US Air Force plans to buy a whopping 2200 PlayStation 3 games
consoles which it will use to expand an existing PS3-based
supercomputer.
The current cluster of consoles contains 336 PS3s, each connected by
their RJ45 ports to a common 24-port Gigabit Ethernet hub, Air Force
online documentation states.
The entire set-up runs on...
Secunia Weekly Summary - Issue: 2009-48
Posted by InfoSec News on Nov 29
========================================================================
The Secunia Weekly Advisory Summary
2009-11-20 - 2009-11-27
This week: 40 advisories
========================================================================
Table of Contents:
1.....................................................Word From...
Computer hacker Gary McKinnon 'is facing a US trial'
Posted by InfoSec News on Nov 29
http://news.bbc.co.uk/2/hi/uk_news/8381961.stm
BBC News
26 November 2009
Computer hacker Gary McKinnon faces being tried in the US after requests
to block his extradition were refused, the Home Office has confirmed.
Home Secretary Alan Johnson told Mr McKinnon's family he could not block
the move on medical grounds.
Glasgow-born Mr McKinnon, 43, who has Asperger's syndrome, is accused of
breaking into US military computers. He says he was...
Surprise "Housewives" dinner guests not invited, White House says
Posted by InfoSec News on Nov 26
http://voices.washingtonpost.com/reliable-source/2009/11/salahi_photos_etc.html
By The Reliable Source
The Washington Post
November 25, 2009
A couple of aspiring reality-TV stars from Northern Virginia appear to
have crashed the White House's state dinner Tuesday night, penetrating
layers of security with no invitation to mingle with the likes of Vice
President Biden and White House Chief of Staff Rahm Emanuel.
Tareq and Michaele Salahi --...
HITB Security Conference 2010 Dubai Call for Papers
Posted by InfoSec News on Nov 26
The Call for Papers for HITB Security Conference 2010 Dubai is now open!
Talks that are more technical or that discuss new and never before seen
attack methods are of more interest than a subject that has been covered
several times before. Summaries not exceeding 1250 words should be
submitted (in plain text format) to cfp -at- hackinthebox.org for review
and possible inclusion in the programme.
Date: April 19th . 22nd 2010
Venue: Sheraton...
Man guilty of selling fake chips to US Navy
Posted by InfoSec News on Nov 26
http://www.channelregister.co.uk/2009/11/25/us_navy_fake_chips/
By John Oates
The Register
25th November 2009
A 32-year-old California man has pleaded guilty to selling thousands of
counterfeit computer processors to the US Navy.
Neil Felahy of Newport Coast, California pleaded guilty to conspiracy
and trafficking in counterfeit goods charges. As part of a plea bargain
Felahy has agreed to co-operate with the US authorities.
He faces a...
Metasploit releases IE attack, but it's unreliable
Posted by InfoSec News on Nov 26
http://www.computerworld.com/s/article/9141485/Metasploit_releases_IE_attack_but_it_s_unreliable?taxonomyId=17
By Robert McMillan
IDG News Service
November 25, 2009
Developers of the open-source Metasploit penetration testing toolkit
have released code that can compromise Microsoft's Internet Explorer
browser, but the software is not as reliable as first thought.
The code exploits an Internet Explorer bug that was disclosed last
Friday in a...
Security Is Chief Obstacle To Cloud Computing Adoption, Study Says
Posted by InfoSec News on Nov 26
http://www.darkreading.com/securityservices/security/perimeter/showArticle.jhtml?articleID=221901195
By Tim Wilson
DarkReading
Nov 25, 2009
Nearly half of organizations say they have no plans to use any cloud
computing technologies in the next year -- and security concerns are the
chief reason why.
That's the conclusion of a survey that will be published next month by
Launchpad Europe, a company that helps emerging firms with global...
NIST Director Sees Key Role In Emerging Technologies
Posted by InfoSec News on Nov 26
http://www.informationweek.com/news/government/policy/showArticle.jhtml?articleID=221901183
By J. Nicholas Hoover
InformationWeek
November 25, 2009
As it takes on research and standardization in the areas of healthcare
IT, smart grid, and cybersecurity, the National Institute of Standards
and technology has a "critically important" role to play, according to
NIST's new director, Patrick Gallagher.
A 16-year NIST veteran and former...
Cyber breaches kept secret
Posted by InfoSec News on Nov 26
Forwarded from: Simon Taplin <simon.taplin (at) gmail.com>
http://www.itweb.co.za/index.php?option=com_content&view=article&id=28347:cyber-breaches-kept-secret&catid=219:reuters
By Reuters
25 Nov 2009
Cybercriminals regularly breach computer security systems, stealing
millions of dollars and credit card numbers in cases that companies keep
secret, said the FBI's top Internet crimes investigator.
For every break-in like the...
Microsoft warns of IE exploit code in the wild
Posted by InfoSec News on Nov 24
http://news.cnet.com/8301-27080_3-10403756-245.html
By Elinor Mills
InSecurity Complex
CNet News
November 23, 2009
Microsoft on Monday said it is investigating a possible vulnerability in
Internet Explorer after exploit code that allegedly can be used to take
control of computers, if they visit a Web site hosting the code, was
posted to a security mailing list.
Microsoft confirmed that the exploit code affects IE 6 and IE 7, but not
IE 8,...
Inside the Ring - Chinese, Russian cyberwarfare
Posted by InfoSec News on Nov 24
http://www.washingtontimes.com/news/2009/nov/19/inside-the-ring-37209361/
By Bill Gertz
INSIDE THE RING
November 19, 2009
[...]
Chinese, Russian cyberwarfare
The Pentagon's National Defense University recently published a
groundbreaking book that is one of the few U.S. government documents to
highlight the cyberwarfare capabilities of both China and Russia.
The book "Cyberpower and National Security" contains a chapter on the...
Symantec Japan website bamboozled by hacker
Posted by InfoSec News on Nov 24
http://www.theregister.co.uk/2009/11/23/symantec_website_security_snafu/
By John Leyden
The Register
23rd November 2009
A Symantec-run website was vulnerable to Blind SQL Injection problems
that reportedly exposes a wealth of potentially sensitive information.
Romanian hacker Unu used off-the-shelf tools (Pangolin and sqlmap) to
steal a glimpse at the database behind Symantec's Japanese website. A
peek at the Symantec store revealed by the...
NIST Drafts Cybersecurity Guidance
Posted by InfoSec News on Nov 24
http://www.informationweek.com/news/government/security/showArticle.jhtml?articleID=221900722
By J. Nicholas Hoover
InformationWeek
November 23, 2009
Draft guidance from the National Institute of Standards and Technology
issued last week, pushes government agencies to adopt a comprehensive,
continuous approach to cybersecurity, tackling criticism that federal
cybersecurity regulations have placed too much weight on periodic
compliance...
Hancock Fabrics Linked to Fraud in 3 States
Posted by InfoSec News on Nov 24
http://www.bankinfosecurity.com/articles.php?art_id=1961
By Linda McGlasson
Managing Editor
Bank Info Security
November 23, 2009
Bank customers in California, Wisconsin and Missouri are reporting
fraudulent ATM withdrawals that police say are tied to transactions
conducted with the Hancock Fabrics retail chain.
In California, Napa Police Department spokesman Brian McGovern says 60
residents reported their cards being used by thieves. In one...
Federal Computer Week: Security News
The dawn of the 2.0 presidency
The foremost story of 2009 has been the transition from the Bush administration to President Barack Obama's administration -- and all the power shifts that trickle down through technology, policy, procurement and management in government.
Fewer data breaches but more records exposed
Although data breaches are occurring less frequently this year, the number of personal records exposed has risen dramatically.
VA plans wide-ranging IT services contract
The Veterans Affairs Department plans to compete an extensive, multiple-award information technology services contract that would meet the department's software, hardware and engineering needs.
New dashboard tracks cybersecurity programs
Software industry trade association's dashboard rates cybersecurity programs.
The news of 2009: From buzz to bust
Some stories christened by the Buzz of Week in 2009 have proven less buzz-worthy than others.
Wanted: A Smokey Bear for cybersecurity
U.S. cybersecurity strategy needs to develop a public awareness campaign that permeates the workplace, schools and homes.
DHS to miss 2012 deadline to scan containers for radiation
Homeland Security Secretary Janet Napolitano said DHS needs more time to meet a requirement for radiation scanning of 100 percent of cargo containers bound for U.S. seaports.
Northrop Grumman to fund university research on cybersecurity tech
Northrop Grumman plans to fund researchers at Carnegie Mellon, Purdue University and the Massachusetts Institute of Technology with millions of dollars to focus on leap-ahead cybersecurity technologies.
Certifications are not a panacea for cybersecurity woes
A national certification program for cybersecurity professionals won't solve our security problems, writes Daniel Castro.
eWeek Security Watch
Online Banking Users Still Hooked on Phishing
In Virus and Spyware
While phishing attacks on e-banking customers have been around for a long time, people are still getting caught and generating millions in losses for large banks on an annual basis.
Clientless SSL VPN Products Open Web Browser Security Hole
In Vulnerability Research
Dozens of clientless SSL VPN products can be exploited to break Web browser security protections and circumvent same origin policy - and there is no solution to the problem.
Scammers Tapping Into Holiday Drear
In multimedia
Scammers are already ramping up new methods to cash in on the sagging economy at the height of the holiday season.
Spammers Spread Trojan with H1N1 E-Mails
In Trojan attacks
Security vendors are reporting a malware campaign taking advantage of public interest in the H1N1 vaccine.
Commercial E-Banking Fraud: No Withdrawal
In Virus and Spyware
Commercial banks and their customers are facing a wave of renewed activity from attackers, experts with Guardian Analytics maintain.
DarkReading - Security News
DarkReading
Lionbridge Strengthens Technology Leadership Team With Software-as-a-Service Industry Veteran
GameStop and Payless ShoeSource Announce Cross Promotional Offer for Added Savings This Holiday Shopping Season
Cathay Bank Selects NetDeposit as its New Remote Deposit Capture Provider
Bentley University Deploys DigitalPersona Software on Faculty and Student Laptops
Safe and Secure Online Gaming at CasinoClassic.com
Phoenix Technologies Adds Five Directors to Newly Created Board Seats
CouponCabin.com Reaches 29,000 Offers Mark
Gifts That Help Families in Need of Homes
DarkReading - All Stories
DarkReading
Data Masking Helps Keep Live Data From Peeking Out, Experts Say
Data masking can help prevent production data from leaking out through non-production systems, experts say
Bank Phishing Attacks Snare Few Victims But Tally Major Damage
Live phishing attack data on major banks shows just a small percentage of victims translates into big profits for bad guys and big losses for bank customers
Microsoft Targets Enterprise Endpoint With New Products
New Web gateway leverages the cloud and remote access gateway draws on identity
Privacy Pro Claims Sprint Divulged Sensitive Customer Info
Claims are out of context, the carrier maintains, and when it does provide information to investigators, it requires a valid legal request
Top Experts Examine Causes Of Breaches In Spy Museum Forensics Panel
Top security experts discuss cyber breaches in panel at Spy Museum
New Report Helps Enterprises Choose Their Own DAM Products
Dark Reading study of database activity monitoring offers insights on how DAM products work -- and how to choose between them
Product Watch: Snort Maker Rolls Out IPSes For Virtual Environments
Sourcefire adds VMware-based virtual appliances, new version of 3D System IPS platform
Metasploit Gets New Vulnerabilty Scanning Features
Rapid7 takes first step in integrating penetration testing tool with its NeXpose vulnerability scanner, rolls out new free version of NeXpose
Hacker Arrested For Stealing Virtual Assets In Online Game
Man arrested for hacking into other gamers' online accounts
Security Pros In Demand: Report
Security is among a broad mix of jobs expected to receive hiring attention from CIOs, according to the latest IT Hiring Index and Skills Report
Vulnerability Management: The Missing Link In Mobile Device Security
Enterprises, vendors struggle to find methods for detecting security flaws in increasingly-popular portable gadgets
Free Tool Paints Picture Of Stealthy Attacks
Honeynet Project's 'Picviz' gets a graphical user interface
July Theft Of Navy Laptops Serves As Important Reminder
Bottom line: External storage drives shouldn't be overlooked as a security risk
Product Watch: IBM Buys Database Security Firm Guardium
Big Blue plans to integrate Guardium's database activity monitoring technology into its information management software products
Heap Spraying: Attackers' Latest Weapon Of Choice
Difficult to detect reliably, heap spraying was behind an exploit of IE and Adobe Reader
New Exploit Masquerades As Flash Player Upgrade
Fake "security update" to Flash Player brings malware to users' PCs
Spammer Gets Four Years In Slammer
'Godfather of Spam' Alan Ralsky and three associates sentenced for stock fraud spam scheme
CSI Annual Report: Financial Fraud, Malware On The Increase
Computer Security Institute, CSI, annual, report, security, malware, trends, data losses, insider threat, spending, financial fraud
Report: China's After U.S. Secrets, Technology
U.S.-China Economic and Security Review Commission notes a 'marked increase in cyber intrusions originating in China and targeting U.S. government and defense-related computer system'
NIST Urges Feds To Continuously Monitor Cybersecurity Efforts
New document puts more onus on applying risk management throughout the lifecycle of IT systems
Product Watch: Database Acquisition Could Help Check Point Handle Social Network Attacks
Purchase of Facetime database will help Check Point provide security in Web 2.0 environs, officials say
Darknet - The Darkside
Ethical Hacking, Penetration Testing & Computer Security
Microsoft Leaves Users Waiting For Black Screen Of Death Fix
By Darknet on windows7
The news this week has been a flaw in Microsoft’s all versions of Windows labeled as the “Black Screen of Death”, they did acknowledge the problem a few days ago (in a roundabout way) but basically said it wasn’t their fault and it wasn’t widespread. The blame is currently being passed around and as of now, [...]
Read the full post at darknet.org.uk
Process Hacker v1.7 Released – Process Viewer & Memory Editor
By Darknet on windows-security
Process Hacker is a free and open source process viewer and memory editor with unique features such as powerful process termination and a Regex memory searcher. It can show services, processes and their threads, modules, handles and memory regions. Key Features Viewing, terminating, suspending and resuming processes. Restarting processes,...
Read the full post at darknet.org.uk
Home Secretary says McKinnon must face US trial
By Darknet on uk hacker
Since the last update almost a year ago when Gary won the right to appeal against extradition, the latest news in the Gary Mckinnon saga is that his extradition to the US for trial will be going ahead. Even with his apparent medical condition of Ass Burgers Asperger’s it seems he will be extradited anyway according [...]
Read the full post at darknet.org.uk
Cyber, War and Law™
The BLOG where Technology, Cyber Warfare, Law, and Policy intersect.
Cyberlaw Edition of The Air Force Law Review (local copy), 2009
By Dondi S. West
This is really good reading. Click the link below to get a copy of the journal:
Cyberlaw Edition of The Air Force Law Review (local copy), 2009
U.S. Justice Department Indicts Hackers in ATM Heist
By Dondi S. West
The Justice Department indicted eight Russian and Eastern European computer hackers, alleging they were part of a crime ring that broke into ATMs in hundreds of cities world-wide and stole $9 million. HERE is a Copy of The Indictment
McConnell on Thwarting Cyber Attacks
By Dondi S. West
Booz Allen's Mike McConnell appeared on “60 Minutes” to discuss whether nation states or others with ill intent could get into the computer systems that run crucial elements of the US infrastructure, such as the power grids, water works, or the nation’s banking system. view now »
CounterMeasures - A Security Blog
Rik Ferguson blogs about current security issues.
British police remove drop from ocean.
By Rik Ferguson on web
British law enforcement today completed a project dubbed Operation Papworth, aimed at reducing the exposure of the British online shopping public to fraudulent websites in the run up to Christmas. The Metropolitan Police Central e-Crime Unit have been widely reported in the media as “shutting down” or “taking down” more than 1200 websites peddling fraudulent [...]
CNET News - Security
PC Tools Internet Security 2010 reviewed
By Seth Rosenblatt
PC Tools' Internet Security suite for 2010 gets some things right, and frustratingly drops the ball on others.
Originally posted at The Download Blog
Google Chrome now bundled with Avast
By Seth Rosenblatt
You wouldn't necessarily expect it, but Avast and Google Chrome might be the next peanut butter-and-jelly combo in the software world.
Originally posted at The Download Blog
Some Avast users must reinstall flagged files
By Seth Rosenblatt
Avast has fixed a bad virus definition file update that falsely marked hundreds of clean files as threats, but some users are still dealing with the fallout.
Originally posted at The Download Blog
Defense Dept. pulls software over privacy issues
By Elinor Mills
EPIC complaint alleging privacy issues with Echometrix parental control software prompts Defense Department online store to pull the product.
Originally posted at InSecurity Complex
Microsoft to plug critical IE hole targeted by exploit code
By Elinor Mills
Patch Tuesday will see fixes for 12 vulnerabilities in IE, Windows, and Office, three of which are critical.
Originally posted at InSecurity Complex
Google wants to unclog Net's DNS plumbing
By Stephen Shankland
The Net giant, ever eager for a faster Internet, debuts its Google Public DNS service. With it, Google could become even more central to the Net.
Originally posted at Deep Tech
Avast update falsely flags good apps as malware
By Elinor Mills
Czechoslovakia-based antivirus maker fixes security update that mistakenly identified good programs as a Trojan.
Originally posted at InSecurity Complex
Character limitations in passwords considered harmful
By Jonathan Eunice
Some Web sites only allow alphanumeric characters (letters and numbers) in their passwords. This invites bad passwords, lowering security for everyone.
Originally posted at Apps Meet Ops
McAfee uncovers riskiest domains
By Lance Whitney
The African nation of Cameroon (.cm) is deemed the most dangerous, and the popular .com domain comes in second place.
EFF sues feds for info on social-network surveillance
By Elinor Mills
After agencies fail to provide info requested on policies for using Twitter, Facebook, and other social networks in investigations, Electronic Frontier Foundation sues.
Originally posted at InSecurity Complex
Microsoft: November security updates are fine
By Ina Fried
The company's investigation into matter finds there is nothing in the latest Windows updates that should lead users to encounter a so-called "black of screen of death."
Originally posted at Beyond Binary
Fake CDC vaccine e-mail leads to malware
By Elinor Mills
AppRiver warns of scammers preying on public interest in the H1N1 vaccine through an e-mail purporting to come from Centers for Disease Control.
Originally posted at InSecurity Complex
IBM buys database security firm Guardium
By Lance Whitney
Big Blue sees the acquisition bolstering its offerings to enterprises that need to secure databases against both internal and external threats.
Microsoft actively urges IE 6 users to upgrade
By Stephen Shankland
A shopping video and eBay promotion are part of Microsoft's effort to give IE 6 users a reason to upgrade. The company also is trying to move corporate customers away.
Originally posted at Deep Tech
Microsoft investigating 'black screen of death'
By Ina Fried
The software maker is looking into reports that some users' systems aren't working right after installing the latest Windows security updates.
Originally posted at Beyond Binary
Pub fined $13k for Wi-Fi copyright infringement
By David Meyer
Companies offering open Wi-Fi access face legal uncertainty following a court case.
Tips for safe online shopping
By Larry Magid
As the holiday season begins, Larry Magid offers some tips on safe holiday shopping.
Originally posted at Safe and Secure
Big changes in Security Starter Kit 2010
By Seth Rosenblatt
Planning on getting a new computer this holiday season? Stay safe into the New Year with the overhauled Download.com Security Starter Kit for 2010.
Originally posted at The Download Blog
Confidential 9/11 pager messages disclosed
By Declan McCullagh
Glimpse into events of September 11, 2001, terrorist attacks comes from pager messages that have been anonymously published on WikiLeaks.org.
Originally posted at News - Politics and Law
CGISecurity - Website and Application Security News
All things related to website, database, SDL, and application security since 2000.
Potential risks of using Google's free DNS service?
By Robert A. on IndustryNews
Google has announced that they are offering a free DNS service to anyone wanting to use it. Unfortunately the motivations/privacy concerns aren't being discussed in as much detail as I'd like, and people aren't asking the important question of why google is offering such a free service. Several points to consider Google...
Preventing Security Development Errors: Lessons Learned at Windows Live by Using ASP.NET MVC
By Robert A. on SDL
Microsoft has published a paper on its ASP.NET MVC framework, how to use it, and how utilization of an SDL eliminates the potential to introduce vulnerabilities such as XSRF. From the paper "On the Microsoft platform, most Web applications are based on ASP.NET and the Microsoft®.NET Framework. ASP.NET MVC is a new...
Clientless SSL VPN products break web browser domain-based security models
By Robert A. on Vulns
A new CERT advisory has been published outlining a weakness in the way web based SSL clients operate, resulting in a Same Origin Policy breakage. Here's the meaty details. "As the web VPN retrieves web pages, it rewrites hyperlinks so that they are accessible through the web VPN. For example, a link...
Nozzle: A Defense Against Heap-spraying Code Injection Attacks
By Robert A. on Vulns
Microsoft has been working on a tool called 'Nozzle' to prevent the exploitation of heap spraying attacks and released a whitepaper describing the process. From the whitepaper. "Heap spraying is a new security attack that significantly increases the exploitability of existing memory corruption errors in type-unsafe applications. With heap spraying, attackers leverage...
No comments:
Post a Comment