Sunday, December 13, 2009

Around The Horn vol.1,163

Microsoft Security Bulletins

Microsoft Security Bulletins

MS09-074 - Critical: Vulnerability in Microsoft Office Project Could Allow Remote Code Execution (967183)

Bulletin Severity Rating:Critical - This security update resolves a privately reported vulnerability in Microsoft Office Project. The vulnerability could allow remote code execution if a user opens a specially crafted Project file. An attacker who successfully exploited this vulnerability could take complete control of an affected system. An attacker could then install programs; view, change, or delete data; or create new accounts with full user rights. Users whose accounts are configured to have fewer user rights on the system could be less impacted than users who operate with administrative user rights.

MS09-073 - Important: Vulnerability in WordPad and Office Text Converters Could Allow Remote Code Execution (975539)

Bulletin Severity Rating:Important - This security update resolves a privately reported vulnerability in Microsoft WordPad and Microsoft Office text converters. The vulnerability could allow remote code execution if a specially crafted Word 97 file is opened in WordPad or Microsoft Office Word. An attacker who successfully exploited this vulnerability could gain the same privileges as the user. Users whose accounts are configured to have fewer privileges on the system could be less impacted than users who operate with administrative privileges.

MS09-072 - Critical: Cumulative Security Update for Internet Explorer (976325)

Bulletin Severity Rating:Critical - This security update resolves four privately reported vulnerabilities and one publicly disclosed vulnerability in Internet Explorer. The vulnerabilities could allow remote code execution if a user views a specially crafted Web page using Internet Explorer. Users whose accounts are configured to have fewer user rights on the system could be less impacted than users who operate with administrative user rights. An ActiveX control built with Microsoft Active Template Library (ATL) headers could also allow remote code execution; for more information about this issue, see the subsection, Frequently Asked Questions (FAQ) Related to This Security Update, in this section.

MS09-071 - Critical: Vulnerabilities in Internet Authentication Service Could Allow Remote Code Execution (974318)

Bulletin Severity Rating:Critical - This security update resolves two privately reported vulnerabilities in Microsoft Windows. The more severe of these vulnerabilities could allow remote code execution if messages received by the Internet Authentication Service server are copied incorrectly into memory when handling PEAP authentication attempts. On Windows Server 2008, the Internet Authentication Service is replaced by Network Policy Server (NPS). An attacker who successfully exploited either of these vulnerabilities could take complete control of an affected system. Servers using Internet Authentication Service or Network Policy Server are only affected when using PEAP with MS-CHAP v2 authentication.

MS09-070 - Important: Vulnerabilities in Active Directory Federation Services Could Allow Remote Code Execution (971726)

Bulletin Severity Rating:Important - This security update resolves two privately reported vulnerabilities in Microsoft Windows. The more severe of these vulnerabilities could allow remote code execution if an attacker sent a specially crafted HTTP request to an ADFS-enabled Web server. An attacker would need to be an authenticated user in order to exploit either of these vulnerabilities.

MS09-069 - Important: Vulnerability in Local Security Authority Subsystem Service Could Allow Denial of Service (974392)

Bulletin Severity Rating:Important - This security update resolves a privately reported vulnerability in Microsoft Windows. The vulnerability could allow a denial of service if a remote, authenticated attacker, while communicating through Internet Protocol security (IPsec), sends a specially crafted ISAKMP message to the Local Security Authority Subsystem Service (LSASS) on an affected system.

The Microsoft Security Response Center (MSRC)

Working to help protect customers from vulnerabilities in Microsoft software

December 2009 Security Bulletin Release

By MSRCTEAM on Exploitability

Summary of Microsoft’s Security Bulletin Release for December 2009

As noted in our Advance Notification (ANS) last Thursday, for the December bulletin release we issued six security bulletins addressing 12 vulnerabilities. Affected products include Windows, Internet Explorer (IE) and Microsoft Office products.

In the ANS, we also noted that the bulletin for IE (MS09-072) is at the top of our deployment priority list this month. As you can see from our Severity and Exploitability Index slide (also referred to as the Risk and Impact slide), MS09-072 is the only bulletin this month that has both a Critical severity rating and our maximum Exploitability Index rating of 1. Of note, each of the five vulnerabilities addressed in this bulletin are Critical and each also have an Exploitability Index rating of 1. One of the vulnerabilities was the subject of Security Advisory 977981 due to public disclosure and affects IE 6 and IE 7 so customers running those versions should install this update as soon as possible.

The update for Active Directory Federation Services, MS09-070, is lower on the deployment list even though it has an Exploitability Index of 1. This is because an attacker would have to have valid logon credentials for the affected server in order to carry out an attack which gives this a severity rating of Important. The second critical vulnerability affecting Windows, MS09-071, is also lower in our deployment priority as indicated in the slide below. This is mainly due to an Exploitability Index rating of 2 which means that we do not expect to see reliable exploit code for the critical vulnerability within the first 30 days from bulletin release.

To follow up on something I mentioned in the ANS blog post, here is the promised table that maps the bulletin ID’s to the numbered bulletins from the ANS document that customers have asked us for:

Bulletin ID

Maps to bulletin number in the ANS

MS09-069

Bulletin 5

MS09-070

Bulletin 6

MS09-071

Bulletin 1

MS09-072

Bulletin 4

MS09-073

Bulletin 2

MS09-074

Bulletin 3

This month we also released two new advisories. The first one, 954157, concerns a Defense in Depth (DiD) update for the Indeo Codec. This update will go out through the Automatic Update system and applies to Windows XP and Windows Server 2003. The update blocks the codec from being used in IE and Windows Media Player in the Internet Zone and offers similar attack surface reduction as that built in to Windows Vista, Windows Server 2008, Windows 7 and Windows Server 2008 R2. For those not running any applications that use the Indeo Codec, you can unregister it to reduce overall attack surface which we recommend as a best practice, and have the exact same attack surface reduction as on Windows Vista, Windows Server 2008, Windows 7 and Windows Server 2008 R2

The other advisory, 974926, is the summary advisory for the work we have done around Extended Protection for Authentication. My colleague, MSRC program manager Maarten Van Horenbeeck, has written an extensive post on this subject on our Security Research & Defense blog.

Finally, we re-released MS08-037 for Windows 2000 SP4 systems. This is an Important class update that could result in spoofing. All Windows 2000 SP4 users should re-install the update to be fully protected from this issue.

As we do every month, Adrian Stone and I provide a quick overview of today’s updates in the video below.

More listening and viewing options:

We also encourage all customers to join us tomorrow for our live webcast where we will go in to details on all of these bulletins and answer your questions while on the air. Registration information:

Date: Wednesday Dec. 9
Time: 11:00 a.m. PST (UTC -8)
Registration and event link: http://msevents.microsoft.com/CUI/EventDetail.aspx?EventID=1032407802

Thank you!

Jerry Bryant

Additional Blog Resources:

*This posting is provided "AS IS" with no warranties, and confers no rights

Zero Day

Tracking the hackers

Zeus crimeware using Amazon's EC2 as command and control server

By Dancho Danchev on Web 2.0

A recently intercepted variant of the most popular piece of crime, the Zeus bot, is using Amazon's EC2 service as a command and control server.

Adobe plugs dangerous Flash Player security holes

By Ryan Naraine on Mozilla

Adobe has shipped a critical Flash Player update to fix at least seven documented security vulnerabilities that expose nearly every computer user to dangerous hacker attacks.

Patch Tuesday: Microsoft plugs IE 'drive-by download' security holes

By Ryan Naraine on Zero-day attacks

The most serious issues affect the company's Internet Explorer browser, including the newest IE 8 on Windows 7.

Yahoo!%20News

Yahoo! News: Security News

Security News

Feds go global to fight cybercriminals overseas (AP)

In politics

AP - The tip came from another country's law enforcement officials: Eight major banks in the U.S. were being targeted by cybercriminals operating there.

Facebook rolls out new privacy tool (AFP)

In us

A Facebook patron looking at her page at an internet shop, seen here in May 2009. Facebook on Wednesday began calling on users to get a better grip on their online privacy by dictating who sees what in profiles at the world's leading social networking service.(AFP/File/Romeo Gacad)AFP - Facebook on Wednesday began calling on users to get a better grip on their online privacy by dictating who sees what in profiles at the world's leading social networking service.

Computer of Alleged Sarah Palin Hacker Had Spyware (PC World)

In technology

PC World - The 21 year-old college student charged with hacking former Alaska Governor Sarah Palin's Yahoo e-mail account was using a compromised computer that was secretly logging and reporting information without his knowledge, his lawyers say.

Microsoft Patch Tuesday: Critical Update for IE (PC World)

In technology

PC World - Today was Microsoft's final Patch Tuesday of 2009. Microsoft released a total of six new security bulletins, the most urgent one affecting a zero-day flaw in Internet Explorer for which exploit code already exists.

Social Network and Banking Scams Are on the Rise, Says Cisco (PC World)

In technology

PC World - What do phishing, instant messaging malware, DDoS attacks and 419 scams have in common? According to Cisco Systems, they're all has-been cybercrimes that were supplanted by slicker, more menacing forms of cybercrime over the past year.

After Code Is Released, Adobe Illustrator Fix Due Jan 8 (PC World)

In technology

PC World - Nearly a week after an unidentified hacker posted attack code that exploits a flaw in Adobe's Illustrator software, the company says it will fix the issue by Jan. 8.

FTC to Consider Stricter Online Privacy Rules (PC World)

In technology

PC World - The U.S. Federal Trade Commission plans to take a hard look at how it enforces consumer privacy standards in the coming months, with new rules for online companies possibly on the way, the agency's chairman said Monday. 

Yahoo launches online consumer privacy tool (AP)

In technology

AP - A new online tool from Yahoo Inc. will let users see and edit the personal profiles that the Internet company compiles about them to target Internet advertising.

WindowSecurity.com

WindowSecurity.com

WindowSecurity.com provides Windows security news, articles, tutorials, software listings and reviews for information security professionals.

VIDEO: Securing USB Thumb Drives with BitLockerToGo

By (Derek Melber)

The process of securing USB Thumb Drives and Hard Drives using BitLockerToGo utility.

Security Fix

Brian Krebs on computer and Internet security

Critical updates for Adobe Flash, Microsoft Windows

In New Patches

Microsoft released six software updates on Tuesday to fix at least a dozen security vulnerabilities in Windows, Internet Explorer, Windows Server and Microsoft Office. More than half of the flaws earned a "critical" rating, meaning criminals could exploit them to break into vulnerable systems without any help from users. Separately, Adobe Systems Inc. issued critical security updates to its Flash Player and AIR Web-browser plugins. The updates are available from the Windows Update Web site, or via the Automatic Update feature in Windows. Probably the most important update for most users is the one for Internet Explorer, which corrects five critical flaws in IE 6, 7 and 8. These are vulnerabilities that attackers could exploit to quietly install malicious software on your machine if you browse with IE to a hacked or booby-trapped site. A description of the rest of the vulnerabilities patched in this month's release from Microsoft is

Security Fix author named 'cybercrime hero'

In From the Bunker

Networking equipment maker Cisco Systems Inc this week bestowed a generous honor on the Security Fix author. In its 2009 annual security report released Tuesday, Cisco names Yours Truly as a "cybercrime hero," citing an ongoing investigative series detailing the plight of small businesses that have lost hundreds of thousands of dollars at the hands of malicious software. The mention comes in a section announcing Cisco's first-ever "Cybercrime Showcase," which the company said aims to "shine a spotlight on individuals and entities who have made significant positive contributions during the past year toward helping make the Internet a safer place for all users." Clearly, I am long overdue to design a decent superhero costume. In all seriousness, I am grateful for the mention, and for the recognition of my work. Interestingly, the two families of malicious software also mentioned as "winners" of Cisco's 2009 "Cybercrime Showcase" are malware families whose

La. firm sues Capital One after losing thousands in online bank fraud

In Small Business Victims

An electronics testing firm in Louisiana is suing its bank, Capital One, alleging that the financial institution was negligent when it failed to stop hackers from transferring nearly $100,000 out of its account earlier this year. In August, Security Fix wrote about the plight of Baton Rouge-based JM Test Systems, an electronics testing firm that in February lost more than $97,000 from two separate unauthorized bank transfers a week apart. According to JM Test, Capital One has denied any responsibility for the losses. On Friday, JM Test filed suit in a Louisiana district court, alleging breach of contract and negligence by the bank. The firm says it is still out a total of $89,000, and that it has spent roughly $70,000 investigating and responding to the breaches. "Capital One was not willing to make good on our losses or attempt any type of settlement," said Happy McKnight, JM Test's controller.

Security - RSS Feeds

Security - RSS Feeds

Seven Ways to Make Your Security Budget Pay Off in 2010

Putting a price on security is not an easy thing to do, but businesses and organizations around the world do it every year. With 2010 right around the corner, it is time for administrators to at least begin thinking of where their security dollars should go in the coming year. In a slow economy though, those decisions can be made even tougher. Prioritizing what you need and convincing your organization to spend the money can be the difference between a data breach and a quiet day at the office. With that in mind, eWEEK asked a group of analysts what security technologies are on corporate shopping lists for 2010, and some advice on how to squeeze more money into your security budget and prioritize your purchases.

4 Database Security Tips for Dealing With SQL Injections

SQL injection placed number three on Verizon's list of the top 15 most common attacks in its data breach report. Preventing SQL injections can be the difference then between data security and a screaming headline. Here are a few short tips to help protect your databases and applications.
- Earlier this week, a researcher posted proof he had compromised NASA web sites via a SQL injection. Fortunately for NASA, his motive appears to only have been to illustrate weaknesses in their Web sites. Other entities however have not been so lucky. There were of course the breaches of Heartlan...

10 Lessons Learned from Climate Scientists' Stolen E-Mails

NEWS ANALYSIS: The United Nations Climate Change Conference Conference is under way in Copenhagen, but as scientists' stolen e-mails become front-page news, it's important for us to take a step back and consider the ramifications of poor e-mail security and what lessons IT managers and security administrators can learn from this incident.
- As the United Nations Climate Change Conference, or COP 15, in Copenhagen, Denmark, gets under way this week, the summit has been muddied a bit by the details found in scientists' stolen e-mails. The e-mails contain information that has given those who believe global warming concerns are overbl...

Facebook Improves Privacy, Security Controls to Protect Users

Facebook has strengthened user privacy and security controls to help users keep a tighter grip on their data.
- Facebook is calling on its 350 million-strong user base to review and update their privacy settings as it rolls out new tools to enable users to better control their information. The new features, which launch today, include: the ability to control who sees what piece of content on a users page...

Google Sues over Alleged Work-from-Home Scams

Google is suing Pacific WebWorks and several unnamed defendants for running a scam selling work-from-home tool kits using Google's name. According to Google, people who signed up for the offer were hit with unfair reoccurring monthly credit card charges.
- Google filed a lawsuit Dec. 7 in U.S. federal court in Utah accusing a company of using its brand name in a work-from-home scam and slamming people with suspect credit card charges. According to Google, Salt Lake City-based Pacific WebWorks and several unnamed defendants offered a tool k...

eWEEK Labs Picks the Stupid Tech Tricks of 2009

It's become a tradition at the end of each year for eWEEK Labs to select not only the products that stood out in testing for their innovation and value-add, but also what we have come to define as stupid technology tricks. We like to think that some year in the near future we will be hard-pressed to come up with enough items for this list, but, alas, this was not that year.

Microsoft Fixes Critical IE Security Vulnerabilities on Final Patch Tuesday for 2009

For its December Patch Tuesday, Microsoft fixes 12 security vulnerabilities affecting Internet Explorer, Windows and other products.
- Microsoft issued patches for 12 security vulnerabilities Dec. 8 for its final Patch Tuesday of 2009, including a fix for a zero-day bug plaguing older versions of Internet Explorer. All told Microsoft issued six security bulletins, three rated critical. The most serious of those is the Internet...

LABS GALLERY: eWEEK Labs' 2009 Products of the Year

eWEEK Labs names the hardware, software and services that stood out among the crowd in 2009.

SecureWorks Acquires U.K. Managed Security Firm

SecureWorks purchases U.K.-based DNS to build up its presence in Europe. DNS specializes in security services, in particular identity management as a service.
- Security service provider SecureWorks has acquired U.K.-based DNS Ltd. to expand its footprint in Europe. The acquisition, made for an undisclosed sum, expands SecureWorks global operations and service offerings to include a U.K.-based Security Operations Center; offices in London and Edinburg...

Phishing Attacks Cost Millions Despite Low Success Rate

New research from Trusteer shows that while the majority of phishing attacks are unsuccessful, those that slip past security defenses are costing millions of dollars. With nearly half of those who click on links to phishing sites giving up their personal information, here are some tips on what you need to do to protect your enterprise.
- Ever wonder what percentage of people are clicking on those e-mails leading to fraudulent bank log-in pages? The answer is a very small percentage but more than enough for phishers to still make a killing. New research from security firm (PDF) Trusteer shows that once users had been lured to ...

Security

Microsoft security product confusion to continue till 2011

By emil.protalinski@arstechnica.com (Emil Protalinski) on windowsliveonecare

One of our readers recently wrote in to ask about the difference between Windows Live OneCare and Microsoft Security Essentials (MSE). We explained that OneCare has been on its way out the door since Microsoft announced the for-pay solution's death in November 2008. The company also noted in March 2009 that Windows 7 would not play nice with OneCare. Sales of the Windows Live OneCare subscription service, as well as Windows Live OneCare for Server on SBS 2008, ended on June 30, 2009. The software giant's replacement offering, Microsoft Security Essentials, was released in September 2009. In short, MSE was what our reader wanted. The question forced us to look into OneCare again, and we were a little perplexed at what we found.

Read the rest of this article... 

Seven fail Virus Bulletin's first Windows 7 tests

By emil.protalinski@arstechnica.com (Emil Protalinski) on virusbulletin

Virus Bulletin (VB) conducted its latest test in November, posting the results this month. The security research company evaluated 43 antimalware products (product submission deadline was October 28) for the 32-bit version of Windows 7 Professional. The basic requirements for a product passing the test is detecting, both on demand and on access, in its default settings, all malware known to be "In the Wild" at the time of the review, and not detecting any false positives when scanning a set of clean files. The products were pitted against about thousands of unique samples of malware that fall into four categories: WildList viruses, worms and bots, polymorphic viruses, and Trojans.

Read the rest of this article... 

Support for Windows 2000, Windows XP SP2 ends next July

By emil.protalinski@arstechnica.com (Emil Protalinski) on windowsxp

Microsoft has issued a reminder this week that it will stop providing support for Windows 2000 and Windows XP Service Pack 2 on July 13, 2010. After this date, public support for these products ends and Microsoft will no longer provide any assisted support or security updates. On the same day, Windows 2000 Server will move out of Extended Support while Windows Server 2003 and Windows Server 2003 R2 will move from Mainstream Support to Extended Support, which will end on July 14, 2015. For most of its software, Microsoft provides Mainstream Support, followed by Extended Support, and finishes with just Self-Help Online Support.

Read the rest of this article... 

Yahoo lets users tweak targeted ads ahead of FTC roundtable

By jacqui@arstechnica.com (Jacqui Cheng) on yahoo

For users, targeted advertising has always walked a thin line between being useful and creepy. This is due in no small part to the fact that advertisers need to see people's surfing habits before they can, well, target them. Yahoo has decided to head off some of that privacy-related criticism by launching a new tool that allows users to see how they're being targeted and lets them control control various elements of the process.

Called "Ad Interest Manager," users are able to see which categories they have been earmarked for based on their searching and browsing history. From here, they can turn certain categories on or off manually, and even opt out of the targeted advertising service altogether (though it might be more preferable if it was opt-in).

Read the rest of this article... 

SecuriTeam.com

SecuriTeam

Welcome to the SecuriTeam RSS Feed - sponsored by Beyond Security. Know Your Vulnerabilities! Visit BeyondSecurity.com for your web site, network and code security audit and scanning needs.

Invision Power Board SQL PHP File Inclusion and SQL Injection

Invision Power Board has a PHP file inclusion vulnerability that is trivial to exploit with a web browser and a known location of a php file residing on the target system. Authorisation is not required. The SQL injection vulnerability is somewhat tricky to exploit as there are quite a few restrictions that make creating a successful sql attack vector difficult. Nevertheless a crafty attacker might issue a series of requests that might allow him to gain some information about the target system or even read files from the disk depending on permissions granted to the db account that is used by the forum.

FreeBSD SSL and TLS Session Renegotiation vulnerability

The SSL version 3 and TLS protocols support session renegotiation without cryptographically tying the new session parameters to the old parameters.

U.S. Defense Information Systems Agency (DISA) Unix Security Readiness Review (SRR) Vulnerability

The U.S. Defense Information Systems Agency (DISA) publishes Security Readiness Review scripts (SRRs) to ensure systems and software meet security baselines required by the Department of Defense. Unprivileged local users can obtain root access on Unix systems where the DISA SRR scripts are run.

DevIL DICOM Buffer Overflow Vulnerability

A vulnerability in DevIL DICOM "GetUID()" can be exploited by a malicious party to compromise an application using the library.

CoreHTTP Web Server Buffer Overflow Vulnerability

A remotely exploitable "improper input validation" vulnerability in the CoreHTTP web server leads to an off-by-one stack buffer overflow. The vulnerability can lead to denial of service attacks against the web server and potentially to the remote execution of arbitrary code with the privileges of the user running the server.

HP OpenView Network Node Manager DoS Vulnerability

A potential vulnerability has been identified with HP OpenView Network Node Manager (OV NNM). The vulnerability could be exploited remotely to create a Denial of Service (DoS).

SearchSecurity.com

SearchSecurity: Security Wire Daily News

The latest information security news on IT threats, vulnerabilities and market trends from the award-winning SearchSecurity.com.

Adobe updates Flash Player, fixes seven serious vulnerabilities

By SearchSecurity Staff

Adobe Flash Player 10.0.42.34 repairs memory corruption errors and a data injection vulnerability that could enable an attacker to crash the player and take control of a machine.

Verizon report goes deep inside data breach investigations

By Neil Roiter

A follow-up to earlier findings analyzes 15 most effective threat factors and what enterprises can do to identify and mitigate compromises.

Microsoft gives Internet Explorer a major security overhaul

By Robert Westervelt

The final regular Microsoft update of 2009 repairs five critical vulnerabilities in IE and blocks public exploit code, which surfaced in November.

RSA's Coviello declines cybersecurity coordinator post

By Robert Westervelt

The federal cybersecurity coordinator position remains vacant more than six months after the Obama administration announced it.

Cybercriminals invest in social networking attacks

By Neil Roiter

The Cisco Annual Security Report highlights the best and worst in the cybercriminal investment portfolio for 2010.

Yahoo Login credentials at risk to hijacking attack

By Robert Westervelt

Cybercriminals target Yahoo and other hosting services using a new phishing campaign to hijack accounts and commit bank fraud. 

Yahoo login credentials at risk to hijacking attack

By Robert Westervelt

Cybercriminals target Yahoo and other hosting services using a new phishing campaign to hijack accounts and commit bank fraud.

SANS NewsBites

All Stories From Vol: 11 - Issue: 96

Judge Signs Off on Filesharing Fine, But Rejects Request to Limit Speech (December 7, 2009)

US District Judge Nancy Gertner has finalized a US $675,000 verdict against Boston University student Joel Tenenbaum for illegal filesharing.......

FTC Holds First of Three Privacy Workshops (December 7, 2009)

At a US Federal Trade Commission (FTC) workshop on privacy held on December 7, FTC Chairman Jon Leibowitz said that his agency will examine its enforcement of consumer privacy standards.......

Electronic Data Redaction Not Always Effective (December 4 & 7, 2009)

The US Transportation Security Administration (TSA) redacted portions of a screening techniques document, but the blacked-out data could be viewed by cutting and pasting sections of the .......

Facebook Establishes Safety Advisory Board (December 7, 2009)

Facebook has established the Facebook Safety Advisory Board to address cyberbullying, phishing and other Internet safety issues facing the social networking site's users.......

Microsoft to End Support for Windows XP SP2 and Windows Server 2000 and Client (December 7, 2009)

Users running older versions of Windows have seven months to upgrade to newer versions before Microsoft cuts off support.......

Company Suing Bank Over Fraudulent Transfers (December 7, 2009)

Electronics testing company JM Test Systems is suing Capital One for alleged breach of contract and negligence for not preventing cyber thieves from transferring nearly US $100,000 out of the company's account.......

Phishers Bait Their Hooks for Webmasters (December 5 & 7, 2009)

Phishers have begun turning their attention to webmasters in an attempt to infect more websites with malware.......

Adobe Issuing Security Updates and Investigating Reported Illustrator Flaw (December 4, 2009)

Adobe is investigating a reported buffer overflow vulnerability in its Illustrator drawing tool.......

Two Charged in Phony Cisco Equipment Scheme (December 4, 2009)

Two men have been charged in connection with a scheme in which they allegedly passed off networking equipment purchased in China as Cisco products.......

ISC Issues Fix for Vulnerability in BIND 9 with DNSSEC Validation (December 3, 2009)

The Internet Systems Consortium (ISC) has issued a patch for a cache poisoning vulnerability in ISC BIND 9 with DNSSEC validation turned on.......

Two Men Get Probation for Manipulating LA Traffic Signals (December 1, 2009)

Two men who broke into the computer system that controls Los Angeles, California's traffic signals have been sentenced to two years probation.......

GIAC Certifications in Demand Among Employers (September 28, 2009)

Foote Partners' 2009 IT Skills Trends Report published earlier this year lists the IT certifications most valued by employers in the IT security industry.......

SANS%20Internet%20Storm%20Center,%20InfoCON%3A%20green

SANS Internet Storm Center, InfoCON: green

OSSEC 2.3 released, (Wed, Dec 9th)

OSSEC2.3 was actually released a few days ago, but a careful reader pointed out we had not cov ...(more)...

New Poll: What DNS service do you use (see right hand sidebar), (Wed, Dec 9th)

------ Johannes B. Ullrich, Ph ...(more)...

Adobe flash player and air patched, (Wed, Dec 9th)

The almost universally installed flash player of adobe has been update to version 10.0 ...(more)...

December 2009 Black Tuesday Overview, (Tue, Dec 8th)

Overview of the December 2009 Microsoft patches and their status. ...(more)...

Layer 2 Network Protections - reloaded!, (Mon, Dec 7th)

So Rob, you say, arent we done talking about protecting switches and the like at Layer 2 yet? ...(more)...

Cheat Sheet: Analyzing Malicious Documents, (Mon, Dec 7th)

Today was a calm day at the ISC, so I had some time to catch up on some backlogged email. One ...(more)... 

SANS%20RSS%20Feed

SANS Information Security Reading Room

Last 25 Computer Security Papers added to the Reading Room

Information Security: Starting Out

Category: Getting Started/InfoSec

Paper Added: December 7, 2009

The%20Register

The Register - Security

Biting the hand that feeds IT

Lawyers claim Palin hack suspect's PC had spyware
Groundwork laid for possible Big Wooden Horse defence

Lawyers for Sarah Palin webmail hack suspect David Kernell claim his PC was infected with spyware.…

Zeus bot found using Amazon's EC2 as C&C server
Clouds on Mount Olympus

Add Amazon's EC2 to the roster of cloud-based services being exploited to do the bidding of malware gangs.…

Crooks pitch World Cup scams after group draw
Speculative efforts from outside the box discouraged

Cybercrooks have begun punting World Cup ticket and HD TV viewing scams as a successor to earlier lottery-based cons.…

Facebook screams at users: 'Sort your privacy. NOW'
As it throws switch on new tools

Facebook has ordered its 350 million users to sort out their privacy settings right now, before it throws the switch on its revamped security system.…

German ISPs team up with gov agency to clean up malware
Although anti-botnet offensive panned by critics

The German government is planning to establish a botnet cleanup helpline for computer users affected by malware infection.…

Last patch train of the decade rolls in from Redmond
Zero-day IE fix stars in Black Tuesday update

A critical update addressing a zero-day vulnerability in Internet Explorer starred among the six bulletins published by Microsoft on Tuesday, as part of Redmond's last Black Tuesday update of the decade.…

Adobe Flash update lances zero-day vuln
There's more where that came from

Adobe is due to release an update for Flash Player later on Tuesday that plugs a zero-day vulnerability.…

Scammers scrape RAM for bank card data
Malware sidesteps encryption

Forget keyloggers and packet sniffers. In the wake of industry rules requiring credit card data to be encrypted, malware that siphons clear-text information from computer memory is all the rage among scammers, security researchers say.…

Koobface worm dons tinsel to snag seasonally-affected marks
SatAnic SantA shenAnigans

Festive miscreants have begun using Xmas-themed lures to push the Koobface worm.…

Google sues alleged work-at-home scammers
Sham Google DVDs contained malware

Google has sued to stop what it called "a widespread internet advertising scam" being pushed by a Utah company that allegedly used the search engine's trademark when offering work-at-home opportunities.…

Ruggedised botnets pushing out even more spam
Future rogue ISP takedowns unlikely to bring relief

Cybercrooks have adapted to the takedown of rogue ISPs by building more resilient botnets.…

Adware touts $1 bribe to prospective zombies
An offer you can refuse

An adware distributor is offering to pay punters $1 to install their crud.…

PGP disk encrypt approved by MoD for military use
Good enough for personal data, not for missile codes

The UK MoD has certified PGP Corporation's whole disk encryption technology as suitable for use on British military computers. However, like most software-only solutions, it has been approved only for machines holding fairly low-level information.…

Service cracks wireless passwords from the cloud
135 million words in 20 minutes

A security researcher has unveiled a low-cost service for penetration testers that checks the security of wireless networks by running passwords against a 135-million-word dictionary.…

Webmasters targeted in cPanel look-alike phish
Wanted: FTP credentials

Fraudsters are targeting webmasters in a massive phishing campaign that attempts to trick marks into giving up credentials needed to administer their sites.…

One in 200 success rate keeps phishing economy ticking over
Nibbles add up to big haul

Phishers only need to land a minute percentage of victims to make scams worthwhile.…

TSA, HSBC in secret doc redaction oopsie
Your uh, data is showing

The Transport Security Administration (TSA) and the US arm of bank HSBC have both failed to properly redact documents they published online.…

Hacker scalps NASA-run websites
Pulling a McKinnon

Miscreants took advantage of weak security to hack into two NASA-run websites over the weekend.…

Dodgy Avast update classifies multiple legit files as malign
Initiates needless Chicken Little-style panic

Popular free of charge anti-virus scanner Avast went berserk late last week and began classifying legitimate files as infected.…

Network World on Security

The latest security news, analysis, reviews and feature articles from NetworkWorld.com.

Social network and banking scams are on the rise, says Cisco

What do phishing, instant messaging malware, DDoS attacks and 419 scams have in common? According to Cisco Systems, they're all has-been cybercrimes that were supplanted by slicker, more menacing forms of cybercrime over the past year.

Company sued by Google had a profitable year

Pacific WebWorks has had a very profitable year despite a raft of complaints from its customers, a class action suit filed against it in Illinois and now a civil suit from Google filed on Monday.

After code is released, Adobe Illustrator fix due Jan 8

Nearly a week after an unidentified hacker posted attack code that exploits a flaw in Adobe's Illustrator software, the company says it will fix the issue by Jan. 8.

Judge affirms $675,000 verdict in RIAA music piracy case

A federal judge in Boston signed off on a $675,000 fine that a jury assessed against Boston University doctoral student Joel Tenenbaum for illegally sharing 30 copyrighted songs.

New cloud-based service steals Wi-Fi passwords

For US$34, a new cloud-based hacking service can crack a WPA (Wi-Fi Protected Access) network password in just 20 minutes, its creator says.

Economic Recovery: Will Your IT Security Department Leave?

After a year of uncertainty and difficult circumstances in business, many analysts say it appears the economy has begun to calm down and organizations are slowly shifting from survival mode back to strategically considering ways to grow business. Sounds like good news, right? According to IANS, a Boston-based research company that focuses on information security, regulatory compliance and IT risk management, it is good news, but it doesn't come without some challenges for information security departments.

FTC to consider stricter online privacy rules

The U.S. Federal Trade Commission plans to take a hard look at how it enforces consumer privacy standards in the coming months, with new rules for online companies possibly on the way, the agency's chairman said Monday.

Facebook users fall for rubber duck's friend request

Facebook users haven't learned to keep their personal information private, a security researcher said today after his company conducted a test that sent randomly-selected people a friend request from bogus accounts.

Novell grabs for big role in virtualization security

Novell this week will lay out an ambitious plan to secure applications across heterogeneous virtualization platforms at customer sites and off-premises, an effort designed to play off Novell's strengths in network and identity management.

DoorStop X Security Suite 2.3

A firewall by its very definition is, "any barrier that is intended to thwart the spread of a destructive agent." When it comes to your Mac, that "destructive agent" is anyone on the Internet or your local network who wants to gain unauthorized access to your computer and data. DoorStop X Security Suite is a collection of three tools designed to leverage your Mac's built-in firewall, help you understand how others are trying to access your computer, and to help you understand how to keep your Mac secure.

China warns of Skype phishing, shuts offending domain

China's cyberthreat response group Monday warned local Skype users about phishing scams being carried out through the chat program, in a show of ongoing efforts to counter phishing in the country.

iPhone winning over some corporate security skeptics

Apple's iPhone is slowly but surely winning over some enterprise security skeptics. As a result, it's now showing up alongside, or instead of, Research in Motion BlackBerries and Microsoft Windows Mobile handsets, despite the fact Apple offers none of the security and management features that are hallmarks of those two platforms.

McAfee Avert Labs

Cutting edge security research as it happens.......

FIFA World Cup Tickets Scams Available Now

By Francois Paget on Web and Internet Safety

We recently alerted our readers to spam campaigns using the H1N1 vaccination program to prompt recipients to open the mail. And we have frequently mentioned that crooks love to take advantage of news, disasters, and other events. Now that the final draw for the FIFA World Cup in South Africa next year has taken place, it [...]

InSecurity Complex

Keeping tabs on flaws, fixes, and the people behind them.

Microsoft plugs zero-day IE hole

By Elinor Mills

Cumulative Internet Explorer bulletin affects current Windows versions, including Windows 7.

Google sues over alleged work-at-home scams

By Elinor Mills

Civil suit alleges that Pacific WebWorks and others are ripping people off with fake work-at-home ads using Google's name and unauthorized credit card charges.

Collapse

Info Security News

Carries news items (generally from mainstream sources) that relate to security.

Scammers scrape RAM for bank card data

Posted by InfoSec News on Dec 08

http://www.theregister.co.uk/2009/12/09/ram_scraper_credit_card_theft/
By Dan Goodin in San Francisco
The Register
9th December 2009
Forget keyloggers and packet sniffers. In the wake of industry rules
requiring credit card data to be encrypted, malware that siphons
clear-text information from computer memory is all the rage among
scammers, security researchers say.
So-called RAM scrapers scour the random access memory of POS, or...

Hacker Exposes Unfixed Security Flaws In Pentagon Website

Posted by InfoSec News on Dec 08

http://www.darkreading.com/security/vulnerabilities/showArticle.jhtml?articleID=222001155
By Kelly Jackson Higgins
DarkReading
Dec 08, 2009
A Romanian hacker has posted a proof-of-concept attack exploiting
vulnerabilities on the Pentagon's public Website that were first exposed
several months ago and remain unfixed.
The hacker, who goes by Ne0h, demonstrated input validation errors in
the site's Web application that allow an attacker to...

TJX Hacker to Plead Guilty to Heartland Breach

Posted by InfoSec News on Dec 08

http://www.wired.com/threatlevel/2009/12/gonzalez-heartland-plea
By Kim Zetter
Threat Level
Wired.com
December 8, 2009
Admitted TJX intruder Albert Gonzalez has entered into a plea agreement
on charges that he hacked into Heartland Payment Systems, Hannaford
Brothers, 7-Eleven and two other unnamed national retailers.
The revelation comes in a filing made by Gonzalez's attorney in U.S.
District Court in New Jersey, where the Heartland...

Microsoft plugs zero-day IE hole

Posted by InfoSec News on Dec 08

http://news.cnet.com/8301-27080_3-10411612-245.html
By Elinor Mills
InSecurity Complex
CNet News
December 8, 2009
Microsoft released fixes on Tuesday for a critical vulnerabilities in
Internet Explorer, including one for which exploit code has been
released.
Adobe, meanwhile, was scheduled to release a critical update affecting
Flash Player and Adobe AIR, following news of exploit code being
released for a vulnerability in Illustrator CS3...

Hacker charges $43, 000 in calls to Buffalo Grove firm's phone

Posted by InfoSec News on Dec 08

http://www.pioneerlocal.com/buffalogrove/news/1926703,bg-cuba-phone-121009-s1.article
By KATHY ROUTLIFFE
Pioneerlocal.com
December 8, 2009
"Reach out and trick someone" could be the slogan of a hacker who
charged $43,000 in telephone calls -- mostly to Cuba -- to a Buffalo
Grove worker's company phone within a period of days.
Police reported that an employee at RMS Technologies, 1359 N. Barclay
Blvd., became aware someone had...

TSA Leaks Sensitive Airport Screening Manual

Posted by InfoSec News on Dec 08

http://www.wired.com/threatlevel/2009/12/tsa-leak
By Kim Zetter
Threat Level
Wired.com
December 7, 2009
Who needs anonymous sources when the government is perfectly capable of
leaking its own secrets?
Government workers preparing the release of a Transportation Security
Administration manual that details airport screening procedures badly
bungled their redaction of the .pdf file. Result: The full text of a
document considered...

Is Ankit Fadia selling Viagra?

Posted by InfoSec News on Dec 08

http://www.mid-day.com/news/2009/dec/081209-ankit-fadia-hacker-hacked.htm
By Shashank Shekhar
MiD DAY
2009-12-08
Maybe not. But someone has hacked into India's most famous geek's
website and linked it to another one promoting Viagra
It's a case of a protector turning a victim.
The cyber world is buzzing with the news that India's renowned cyber
security guru Ankit Fadia's business website been hacked by spammers,
who have linked it...

White House security 'breached 91 times since 1980'

Posted by InfoSec News on Dec 08

http://www.timesonline.co.uk/tol/news/world/us_and_americas/article6946937.ece
By Giles Whittell in Washington
The Times
December 8, 2009
If the would-be celebrities who crashed a White House state dinner knew
what the Secret Service knew they might not even have bothered to dress
up.
According to a devastating internal review leaked after Tareq and
Michaele Salahi strolled into the banquet for the Indian Prime Minister
without a ticket,...

Product Watch: Voice Encryption Firm Offers $250K In Gold To Hack Its Technology

Posted by InfoSec News on Dec 08

http://www.darkreading.com/vulnerability_management/security/encryption/showArticle.jhtml?articleID=222000888
By Kelly Jackson Higgins
DarkReading
Dec 07, 2009
An Israeli mobile security firm that a month ago offered $100,000 in
gold to anyone who could hack its voice encryption technology has upped
the ante to $250,000. Gold Lock posted a sample of an encrypted voice
conversation on its Website and is offering the golden reward to any...

Security breach compromises information on District 86 grads

Posted by InfoSec News on Dec 08

http://www.pioneerlocal.com/clarendonhills/news/1925539,clarendon-hills-breach-121009-s1.article
By SANDY ILLIAN BOSCH
pioneerlocal.com
December 7, 2009
Hinsdale High School District 86 no longer uses Social Security numbers
to identify students and it no longer uses University of Nebraska
Lincoln to conduct research, Superintendant Nicholas Wahl said upon
hearing of a computer security breach at that involved the names,
addresses and...

New cloud-based service steals Wi-Fi passwords

Posted by InfoSec News on Dec 08

http://www.computerworld.com/s/article/9141921/New_cloud_based_service_steals_Wi_Fi_passwords?taxonomyId=17
By Robert McMillan
IDG News Service
December 7, 2009
For $34, a new cloud-based hacking service can crack a WPA (Wi-Fi
Protected Access) network password in just 20 minutes, its creator says.
Launched today, the WPA Cracker service bills itself as a useful tool
for security auditors and penetration testers who want to know if they...

Can Electronic Medical Records Be Secured?

Posted by InfoSec News on Dec 08

http://www.informationweek.com/news/healthcare/EMR/showArticle.jhtml?articleID=221601440
By Mitch Wagner
InformationWeek
December 5, 2009
While electronic medical records promise massive opportunities for
patient health benefits and reductions in administrative costs, the
privacy and security risks are equally huge.
The Obama administration has set an ambitious goal--to get electronic
medical records on file for every American by 2014. The...

Climategate: was Russian secret service behind email hacking plot?

Posted by InfoSec News on Dec 06

http://www.telegraph.co.uk/earth/copenhagen-climate-change-confe/6746370/Climategate-was-Russian-secret-service-behind-email-hacking-plot.html
Telegraph.co.uk
06 Dec 2009
Thousands of emails, from the University of East Anglia's Climatic
Research Unit (CRU) were first published on a small server in the city
of Tomsk in Siberia.
So-called 'patriot hackers' from Tomsk have been used in the past by the
Russian secret service, the FSB, to...

USENIX HealthSec '10 Call for Papers Now Available

Posted by InfoSec News on Dec 06

Forwarded from: Lionel Garth Jones <lgj (at) usenix.org>
On behalf of the 1st USENIX Workshop on Health Security and Privacy
(HealthSec '10) program committee, we invite you to submit innovative
papers covering all aspects of healthcare information security and
privacy. Please submit all papers by April 9, 2010, 11:59 p.m. PDT (firm
deadline).
HealthSec '10 is intended as a forum for lively discussion of
aggressively innovative and...

PayPal mistakes own email for phishing attack

Posted by InfoSec News on Dec 06

http://www.theregister.co.uk/2009/12/04/paypal_phishing_false_alarm/
By John Leyden
The Regiser
4th December 2009
Banks and financial institutions are fond of lecturing customers about
the perils of phishing emails, the bogus messages that attempt to trick
marks into handing over their login credentials to fraudulent sites. Yet
many undo this good work by sending out emails themselves that invite
users to click on a link and log into their...

HSBC exposed sensitive bankruptcy data

Posted by InfoSec News on Dec 06

http://www.computerworld.com/s/article/9141834/HSBC_exposed_sensitive_bankruptcy_data?taxonomyId=17
By Robert McMillan
IDG News Service
December 4, 2009
HSBC Bank says a bug in its imaging software inadvertently exposed
sensitive data about some of its customers going through bankruptcy
proceedings.
In notification letters made public Thursday, the bank said it had
redacted sensitive information in Chapter 13 bankruptcy proof-of-claim...

Federal Computer Week: Security News

DHS releases cyber incident response draft plan

The Homeland Security Department wants comments on a national plan that would define government and industry responsibilities for responses to cyber incidents.

NIST gets new director at a critical time for the agency

The National Institute of Standards and Technology has become an economic enabler for a nation that is increasingly dependent on IT and the ability to securely share and use information, said newly confirmed administrator Patrick Gallagher.

Steven Cooper returns to government

Steven Cooper, the Homeland Security Department's first chief information officer, has returned to the federal government after four years away.

All-seeing security program spreading throughout DOD

McAfee teams with Northrop Grumman to provide host-based security system that monitors Defense Department networks inside and out.

Vulnerability in DISA security scripts could leave systems at risk

DISA warns government users not to run Unix Readiness Review Scripts until it fixes a vulnerability.

Critical infrastructure protection calls for carrots and sticks

A report by the Internet Security Alliance stresses the use of economic incentives to improve the security of our critical infrastructure, but government regulation can also be an effective and sometimes necessary tool.

Is a 'digital Pearl Harbor' in our future?

We are more vulnerable than ever, but such an attack would not be easy.

Will 2010 bring a wake-up call for cybersecurity?

Protecting the nation’s networked systems from cyber threats is not going to get any easier in 2010.

eWeek Security Watch

Phishing Ploy Seeks to Hijack CMS Creds

In e-banking fraud

Phishers are targeting users of popular online content management systems to add e-banking fraud attacks to legitimate Web sites.

Adobe to Fix Zero-Day Security Vulnerability

In Vulnerability Research

Adobe officials said they plan to fix a security bug affecting Adobe Illustrator by early January. Attack code for the bug surfaced last week.

Enterprise Databases in Distress

In Security

Enterprise organizations are still struggling to lock down their databases of critical information, despite trying harder to do so, according to a new report from Enterprise Strategy Group.

DarkReading - Security News

DarkReading

PGP(R) Whole Disk Encryption Approved for Use Within Ministry of Defence

DarkReading - All Stories

DarkReading

Microsoft Closes Five Holes In IE With Patch Tuesday Update

Microsoft issues six security patches

Hacker Exposes Unfixed Security Flaws In Pentagon Website

Romanian hacker posts proof-of-concept attacks for Pentagon's public Website

Cyber Attacks Take On A New Hue

Cisco paints the current online environment in a light orange hue -- that's 7.2 on a scale of 1 to 10

The IPS Goes Virtual

Major IPS vendors adding virtual IPSes, and pushing IPSes to virtual computing environments

Microsoft Warns Of Malware-Laced Counterfeit Software

Complaints about counterfeit software infected with malware doubled in past two years

Product Watch: Voice Encryption Firm Offers $250K In Gold To Hack Its Technology

Mobile security firm Gold Lock offers even bigger golden reward for successfully cracking its voice encryption

Darknet%20-%20Hacking,%20Cracking%20%26%20Computer%20Security

Darknet - The Darkside

Ethical Hacking, Penetration Testing & Computer Security

inSSIDer v1.2.3.1014 – Wi-Fi network scanner For Windows

By Darknet on wireless hacking tool

inSSIDer is an award-winning free Wi-Fi network scanner for Windows Vista and Windows XP. Because NetStumbler doesn’t work well with Vista and 64-bit XP, we built an open-source Wi-Fi network scanner designed for the current generation of Windows operating systems. What’s Unique about inSSIDer? Use Windows Vista and Windows XP...
Read the full post at darknet.org.uk

CounterMeasures - A Security Blog

Rik Ferguson blogs about current security issues.

A whole new meaning to Phishing.

By Rik Ferguson on web

UPDATE: At the suggestion of Dan Raywood from SC Magazine I am now offering up a prize to the first person to mail me all the fish I have (kind of) hidden in the blog entry. You can win my splendid USB fridge to keep your prize catch cool. UPDATE 2: This competition has now closed [...]

CNET News - Security

Norton Online Backup 2.0 hits the Web

By Harrison Hoffman

Updated version comes with new features such as support for Mac and Windows, 90-day file versioning, and the ability to send file download links via e-mail.

Originally posted at The Web Services Report

Microsoft plugs zero-day IE hole

By Elinor Mills

Cumulative Internet Explorer bulletin affects current Windows versions, including Windows 7.

Originally posted at InSecurity Complex

Google sues over alleged work-at-home scams

By Elinor Mills

Civil suit alleges that Pacific WebWorks and others are ripping people off with fake work-at-home ads using Google's name and unauthorized credit card charges.

Originally posted at InSecurity Complex

Study: Facebook users willingly give out data

By Don Reisinger

Facebook users still haven't mastered the whole "privacy thing" when it comes to sharing personal information with others, a study from security firm Sophos finds.

Originally posted at Webware

Youth using phones to harass and spy on partners

By Larry Magid

A digital abuse study by MTV and Associated Press finds that nearly 1 in 4 youths say that romantic partners have checked their cell phone text messages without permission.

Originally posted at Safe and Secure

No comments:

Post a Comment

My Blog List