Aurora Report: Around The Horn vol.2,3

Zero Day

Tracking the hackers

Tor Project suffers hack attack

By Ryan Naraine on Zero-day attacks

Hackers broke into two of Tor Project servers and used the CPU and bandwidth to launch additional attacks.

RealPlayer haunted by 11 critical vulnerabilities

By Ryan Naraine on Viruses and Worms

RealNetworks released an advisory to warn of the vulnerabilities, which could be exploited via rigged image and media files to launch remote code execution attacks.

And the most popular password is...

By Dancho Danchev on Web 2.0

Analysis based on 32 million passwords from last month's RockYou.com server breach, shows that millions of people continue using weak passwords.

Microsoft knew of IE zero-day flaw since last September

By Ryan Naraine on Vulnerability research

Microsoft today admitted it knew of the Internet Explorer flaw used in the attacks against Google and Adobe since September last year.

Mozilla drops Firefox 3.6 with security goodies

By Ryan Naraine on Responsible disclosure

The Firefox 3.6 update includes new features to patch third-party Firefox plug-ins and lock out rogue add-ons.

AFP - China on Monday denied any state involvement in cyberattacks on Google and defended Internet censorship as necessary, as a row with Washington over the US firm's threat to leave the country rumbled on.

TaoSecurity

Richard Bejtlich's blog on digital security and the practices of network security monitoring, incident response, and forensics.

Look Beyond the Exploit

By Richard Bejtlich

The post One Exploit Should Not Ruin Your Day by Dino Dai Zovi made me think:
Finally, the larger problem is that it only took one exploit to compromise these organizations. One exploit should never ruin you day. [sic]
No, that is wrong. The larger problem is not that it "only took one exploit to compromise these organizations." I see this mindset in many shops who aren't defending enterprises on a daily basis. This point of view incorrectly focuses on exploitation as a point-in-time, "skirmish" event, disconnected from the larger battle or the ultimate campaign.
The real "larger problem" is that the exploit is only part of a campaign, where the intruder never gives up. In other words, comprehensive threat removal is the problem. There is no "cleaning," or "disinfecting," or "recovery" at the battle or campaign level. You might restore individual assets to a semi-trustworthy state, but the advanced persistent threat only cares that they can maintain long-term access to the environment.
If the problem were simply defending against a compromised asset, we would not still be talking about this issue. Rather, the problem is that it is exceptionally difficult, if not impossible, to remove this threat. Individual exploits add to the problem but they are only skirmishes.

Review of Network Maintenance and Troubleshooting Guide, 2nd Ed Posted

By Richard Bejtlich

Amazon.com just posted my 5 star review of Network Maintenance and Troubleshooting Guide, 2nd Ed by Neal Allen. From the review:
Good network troubleshooting books are rare. TCP/IP Analysis and Troubleshooting Toolkit by Kevin Burns (2003), Troubleshooting Campus Networks by Priscilla Oppenheimer and Joseph Bardwell (2002), and Network Analysis and Troubleshooting by Scott Haugdahl (1999) come to mind. Network Maintenance and Troubleshooting Guide (NMATG) brings a whole new dimension to network analysis, particularly at the lowest levels of the OSI model. I found topics covered in NMATG that were never discussed in other books. While not for every networking person, NMATG is a singular reference that belongs on a network professional's shelf.

Submit Questions for OWASP Podcast

By Richard Bejtlich

Jim Manico invited me to speak on the OWASP Podcast. If you'd like me to try answering specific questions, please email them to podcast at owasp.org. When the show is posted I will let everyone know here. Thank you.

Sguil 0.7.0 on Ubuntu 9.10

By Richard Bejtlich

Today I installed a Sguil client on a fresh installation of Ubuntu 9.10.
It was really easy with the exception of one issue I had to troubleshoot, explained below.
First notice that tcl8.4 and tk8.4 is already installed on Ubuntu 9.10.

richard@janney:~$ dpkg --list | grep -i tcl

ii  tcl8.4                               8.4.19-3

Tcl (the Tool Command Language) v8.4 - run-t

ii  tk8.4                                8.4.19-3

Tk toolkit for Tcl and X11, v8.4 - run-time

richard@janney:~$ sudo apt-get install tclx8.4 tcllib

 iwidgets4 tcl-tlsReading package lists... Done

Building dependency tree

Reading state information... Done

The following extra packages will be installed:

  itcl3 itk3

Suggested packages:

  itcl3-doc itk3-doc iwidgets4-doc tclx8.4-doc

The following NEW packages will be installed:

  itcl3 itk3 iwidgets4 tcl-tls tcllib tclx8.4

0 upgraded, 6 newly installed, 0 to remove and 0 not upgraded.

Need to get 4,127kB of archives.

After this operation, 18.1MB of additional disk space will be used.

Do you want to continue [Y/n]? y

Get:1 http://us.archive.ubuntu.com karmic/universe itcl3 3.2.1-5 [99.4kB]

...truncated...

Next install wireshark via apt-get. I don't show that here.
The server I want to connect to is running Sguil 0.7.0, not the version currently in CVS. If you try connecting from a CVS client to a 0.7.0 server, the client will report an error like

error writing "sock6": connection reset by peer

On the server side you will see Sguil die on error:

pid(37598)  Client Connect: 192.168.2.194 39901 sock15

pid(37598)  Validating client access: 192.168.2.194

pid(37598)  Valid client access: 192.168.2.194

pid(37598)  Sending sock15: SGUIL-0.7.0 OPENSSL ENABLED

pid(37598)  Client Command Received: VersionInfo {SGUIL-0.7.0 OPENSSL ENABLED}

pid(37598)  ERROR: Client connect denied - mismatched versions

pid(37598)  CLIENT VERSION: {SGUIL-0.7.0 OPENSSL ENABLED}

pid(37598)  SERVER VERSION: SGUIL-0.7.0 OPENSSL ENABLED

Error: can not find channel named "sock15"

can not find channel named "sock15"

    while executing

"close $socketID"

    (procedure "ClientVersionCheck" line 11)

    invoked from within

"ClientVersionCheck $socketID $data1 "

    ("VersionInfo" arm line 1)

    invoked from within

"switch -exact $clientCmd {

      DeleteEventID { $clientCmd $socketID $index1 $index2 }

      DeleteEventIDList { $clientCmd $socketID $data1 }

      ..."

    (procedure "ClientCmdRcvd" line 38)

    invoked from within

"ClientCmdRcvd sock15"

SGUILD: killing child procs...

SGUILD: Exiting...

If you diff the sguil.tk from 0.7.0 against sguil.tk from CVS these differences explain what is happening:

richard@janney:~/sguil/client$ diff /home/richard/Downloads/sguil-0.7.0/client/sguil.tk sguil.tk

5c5

---

> # $Id: sguil.tk,v 1.254 2008/09/21 02:59:25 bamm Exp $ #

156,162d155

203a197

>       PassChange { $serverCmd [lindex $data 1] [lindex $data 2] }

235c229

---

>     puts $socketID [list VersionInfo $tmpVERSION]

...truncated...

Finally I like to edit my sguil.conf as shown to account for Wireshark's location and to reduce the number of panes from the default of 3 down to 1.

richard@janney:~/Downloads/sguil-0.7.0/client$ diff sguil.conf.orig sguil.conf

49c49

---

> set WIRESHARK_PATH /usr/bin/wireshark

73c73

---

> set RTPANES 1

78,80c78,80

---

> set RTPANE_PRIORITY(0) "1 2 3 4 5"

> #set RTPANE_PRIORITY(1) "2 3"

> #set RTPANE_PRIORITY(2) "4 5"

At this point I can use the Sguil client.
Unfortunately I continue to have a problem with DNS resolution. (I reported one a while back.)

can't read "state(reply)": no such element in array

can't read "state(reply)": no such element in array

    while executing

"binary scan $state(reply) SSSSSS mid hdr nQD nAN nNS nAR"

    (procedure "Flags" line 13)

    invoked from within

"Flags $token flags"

    (procedure "dns::name" line 3)

    invoked from within

"dns::name $tok"

    (procedure "GetHostbyAddr" line 47)

    invoked from within

"GetHostbyAddr $srcIP"

    (procedure "ResolveHosts" line 23)

    invoked from within

"ResolveHosts"

    invoked from within

".eventPane.pane1.childsite.detailPane.pane0.childsite.detailTabs.canvas.notebook.

 cs.page1.cs.ipDataFrame.dnsDataFrame.dnsActionFrame.dnsButton invoke"

    ("uplevel" body line 1)

    invoked from within

"uplevel #0 [list $w $cmd]"

    (procedure "tk::CheckRadioInvoke" line 3)

    invoked from within

"tk::CheckRadioInvoke .eventPane.pane1.childsite.detailPane.pane0.childsite.detailTabs.canvas.notebook.

 cs.page1.cs.ipDataFrame.dnsDataFrame.dnsActionFr..."

    (command bound to event)

I noticed a similar error on the sguil-users mailing list and tried installing libudp-tcl, but I got the same error.

Attribution Using 20 Characteristics

By Richard Bejtlich

My post Attribution Is Not Just Malware Analysis raised some questions that I will try to address here. I'd like to cite Mike Cloppert as inspiration for some of this post.
Attribution means identifying the threat, meaning the party perpetrating the attack. Attribution is not just malware analysis. There are multiple factors that can be evaluated to try to attribute an attack.

Timing. What is the timing of the attack, i.e., fast, slow, in groups, isolated, etc.?
Victims or targets. Who is being attacked?
Attack source. What is the technical source of the attack, i.e., source IP addresses, etc.?
Delivery mechanism. How is the attack delivered?
Vulnerability or exposure. What service, application, or other aspect of business is attacked?
Exploit or payload. What exploit is used to attack the vulnerability or exposure?
Weaponization technique. How was the exploit created?
Post-exploitation activity. What does the intruder do next?
Command and control method. How does the intruder establish command and control?
Command and control servers. To what systems does the intruder connect to conduct command and control?
Tools. What tools does the intruder use post-exploitation?
Persistence mechanism. How does the intruder maintain persistence?
Propagation method. How does the intruder expand control?
Data target. What data does the intruder target?
Data packaging. How does the intruder package data for exfiltration?
Exfiltration method. How does the intruder exfiltrate data?
External attribution. Did an external agency share attribution data based on their own capabilities?
Professionalism. How professional is the execution, e.g., does keystroke monitoring show frequent mistakes, is scripting used, etc.?
Variety of techniques. Does the intruder have many ways to accomplish its goals, or are they limited?
Scope. What is the scope of the attack? Does it affect only a few systems, many systems?

As you can see, there are many characteristics than can be assessed in order to determine if an incident is likely caused by a certain party. Mature security shops use profiles like this to make their own intelligence assessments, often confidentially collaborating with others sharing the same problems.

Help Bro Project with Short Survey

By Richard Bejtlich

I've written about Bro before, and I noticed the following mailing list post titled Poll: Bro deployments:
Hello Sites Using Bro,
We'd like to ask for your help. We're in the process of preparing a major funding proposal for improving Bro, focused on: improving the end-user experience (things like comprehensive documentation, polishing rough edges, fixing bugs); and improving performance.
This looks like a potentially excellent opportunity. However, a major element of winning the funding is convincingly demonstrating to the funders that Bro is already well-established across a large & diverse user community.
To develop that framing, we'd like to ask as many of you folks as possible to fill out the small questionaire below. Please send the replies to Robin personally, not to the list (just replying to this mail should do the right thing). Assuming sufficient feedback, we'll post an anonymized summary to the list.
(Of course we already know about many of you, but collecting this information more systematically will allow us to put together a better overall view of the Bro community.)
Thanks a lot in advance,
Vern and Robin

--------- Please send to robin at icir.org -----------------------------

1.  Name of deployment site [optional]:

2.  We are using Bro

    [ ] not yet, but we plan to

    [ ] experimentally

    [ ] operationally

3.  We have done so for about _N_ years.

4.  Our site is best described as

    [ ] Academia

    [ ] Research Lab

    [ ] Government

    [ ] Industry

    [ ] Other (please explain)

5.  In its current use, Bro monitors about _N_ systems.

6.  Would you be fine with us listing your site by name as a Bro user?

    [ ] Yes, however you wish.

    [ ] Yes in private to the funders in your grant application, but not publicly.

    [ ] No, please use this information only in an anonymized form.

7.  Optionally, list up to three improvements you would like to see

    in the "Bro world":

If you have any interest in Bro, please consider completing this short survey and email your results to Robin. Thank you!

Security - RSS Feeds

China Denies Link to Cyber-Attacks

The Chinese government denies any involvement in cyber-attacks, rebuking accusations made linking the government to attacks on Google and 30 other companies.
- The Chinese government is fighting back against accusations it was involved in any way in the recent cyber-attacks that struck more than 30 enterprises, calling such talk "groundless." quot;Accusation that the Chinese government participated in cyber-attack, either in an explicit or inexplici...

Bredolab, Spam and the CAPTCHA-Cracking Biz

Meet Bredolab. Bredolab represents what Fortinet calls a simplified botnet a loader that simply connects to a remote server to report and receive files to download and execute. Fortinet has linked Bredolab to an innovative new spam engine called Webwail as well as an uptick in the growth of attacker services focused on cracking CAPTCHAs. By circumventing CAPTCHA protections, spammers can sign up for legitimate Web e-mail accounts to send out spam, making it harder for security vendors to block their messages. Fortinet Threat Researcher Derek Manky predicts more Web engines like Webwail will be developed, driving a growth in CAPTCHA-solving services. Here, eWEEK looks at Webwail and Bredolab, and shows what could be a new security threat: loaders sold as services to buyers looking to distribute malware.
- ...

Clinton Pushes Cyber-security in Wake of Google Attacks

Secretary of State Hillary Clinton calls for countries to cooperate in defending against cyber-attacks, but remains cautious in her comments regarding the recent attacks reported by Google.
- U.S. Secretary of State Hillary Clinton in a speech Jan. 21 took a strong stance in favor of promoting cyber-security partnerships and ending Internet censorship, but stopped short of using harsh language against China in connection with the recent cyber-attacks reported by Google. China has been ...

Security

The Art of Technology

etc: Those of you who still use RealPlayer should take note of a slew of updates intended to shut the door on some vulnerabilities.

In @etc

Those of you who still use RealPlayer should take note of a slew of updates intended to shut the door on some vulnerabilities.

Read More:US-CERT

Could Microsoft have fixed "Google hack" prior to attacks?

By p_emil@hotmail.com (Emil Protalinski) on internetexplorer

When Microsoft released the highly-publicized patch for Internet Explorer yesterday, the software giant admitted that it was aware of the flaw for quite some time. "As part of that investigation, we also determined that the vulnerability was the same as a vulnerability responsibly reported to us and confirmed in early September," Redmond disclosed on the Microsoft Security Response Center. Does this mean that Microsoft could have prevented the Chinese attacks on the 33 companies by releasing patches for Internet Explorer sooner, or at the very least, that the browser would not have been one of the vectors used? Not exactly, we learned after contacting three different security experts.

"When the vulnerability was disclosed to Microsoft in last December, there wasn't any known exploit in the wild," Chenxi Wang, Principal Analyst of Security and Risk Management at Forrester Research, told Ars. "Hence Microsoft scheduled to release the patch in February, which was the next available security bulletin date. But this attack came up before they released the update. That's why they issued the out of band fix. To be fair, Microsoft sees a lot of vulnerabilities, and you don't know which one actually would result in an attack."

In short, Microsoft did what it always does: work on a fix, but don't tell the public until it is absolutely necessary to warn them, and then release it as soon as possible.

32 million passwords show most users careless about security

By jtimmer@arstechnica.com (John Timmer) on stupidity

We've covered this ground before, but never quite on this scale. The best passwords are arbitrary strings that mix letters, digits, and other characters, and are unique to each account. But the human brain isn't wired to remember arbitrary strings, and the explosion of locations that require a login has only exacerbated the problem. The inevitable result is that various surveys have all indicated that many user accounts are badly insecure.

The latest confirmation of that comes with some pretty significant numbers behind it: 32 million, to be exact. That's how many passwords were obtained in a recent hack of the RockYou service. The hacker left a file with all the passwords on a public site, and security firm iMPERVA has now analyzed them. The numbers aren't pretty: about a third are less than six characters, and half are vulnerable to dictionary attacks. The most common password was 123456, and it was followed by 12345, 123456789, and Password. iMPERVA estimates that someone with a slow DSL connection could access one account a second using a dictionary attack.

The one caveat here is that RockYou simply offers widgets for use on social networking sites, so the stakes aren't obviously that high. By all appearances, the worst thing that could happen if someone got ahold of RockYou login credentials is that they could upload photos to an unsuspecting user's Facebook account—potentially embarrassing, but not in the same league as banking information.

What iMPERVA doesn't comment on, but it should be noted, is that RockYou itself seems pretty indifferent to security. Although the site's security notice about the breach starts by saying, "Our users' privacy and data security have always been a priority for RockYou," there's no way to reconcile that with the fact that the company stored all its user information as plain text in a database that was vulnerable to an SQL injection attack. The company is taking reasonable measures in response to its very public failing, but this is security 101.

SearchSecurity: Security Wire Daily News

The latest information security news on IT threats, vulnerabilities and market trends from the award-winning SearchSecurity.com.

Data breach costs continue to rise in 2009, Ponemon study finds

By Robert Westervelt

A Ponemon Institute study of 45 businesses found data breach costs increased last year to $204 per compromised record, a rise of $2 per customer record over 2008 costs.

Adobe issues alert on Shockwave Player 3D graphics flaws

By Robert Westervelt

Vulnerabilities could allow an attacker to infect victims with malware and take control of an infected machine.

Microsoft issues critical security update, blocks IE 6 attacks

By Robert Westervelt

Eight critical vulnerabilities in Internet Explorer were repaired in Microsoft's rushed security update. All supported versions of IE are affected.

SANS%20Internet%20Storm%20Center,%20InfoCON%3A%20green

SANS Internet Storm Center, InfoCON: green

Outdated client applications, (Sun, Jan 24th)

The Aurora target attack made me think about the client applications again. This and when I saw ...(more)...

The necessary evils: Policies, Processes and Procedures, (Sat, Jan 23rd)

This isn't a glamorous topic and quite frankly it's not my favorite one to talk about or to work on. ...(more)...

Pass-down for a Successful Incident Response , (Fri, Jan 22nd)

A mandatory management tool for incident response is called the pass down. It is t ...(more)...

Firefox Upgrade Available, (Thu, Jan 21st)

Firefox released 3.6 today with a few notable improvements ...(more)...

The Register - Security

Biting the hand that feeds IT

Whirlpool allows old stains to linger on Kitchenaid.com site

Warnings put through spin cycle

Domestic appliance manufacturer Whirlpool has come under fire for failing to clean up a malware infection on one of its sites, months after it was notified of a problem by UK anti-virus firm Sophos.…

China denies role in cyber attacks on Google

Claims 'groundless'

China has denied it was involved in the December cyber attacks on Google and at least 33 other companies.…

Full-body scanner blind to bomb parts

Todger, yes. Combustibles, no

Most of the uproar over full-body scanners has focused on privacy concerns. There's one larger question, however, that hasn't received much scrutiny by the chattering classes: do the damnable things work?…

80% of fed sites miss DNS Security deadline

Where's your spoof protection?

The vast majority of US federal agencies have failed to meet a December 31 deadline to deploy new technology that would make it significantly harder for attackers to spoof their websites, according to Network World.…

Amateur goof makes Twitter account hijacking a snap

Just add XML

Twitter is sitting on an amateur configuration blunder that makes it trivial for attackers to take control of user accounts, a researcher said Friday.…

TSA screener plants powder baggie in flier's luggage

Not everyone gets the joke

A screener for the US Transportation Security Administration lost his job after pretending to plant a plastic bag of white powder in the carry-on luggage of a passenger at the Philadelphia International Airport.…

MS knew of Aurora exploit four months before Google attacks

China light on the matter

Microsoft first knew of the bug used in the infamous Operation Aurora IE exploits as long ago as August, four months before the vulnerability was used in exploits against Google and other hi-tech firms in December, it has emerged.…

Tor software updated after hackers crack into systems

Miscreants remain anonymous

Privacy-conscious users of the Tor anonymiser network have been urged to upgrade their software, following the discovery of a security breach.…

Irish board hack prompts password reset

Users thrown into scramble to change up login credentials

Popular Irish web discussion forum boards.ie has reset user passwords in response to a hack attack that compromised member login credentials.…

Emergency IE patch goes live as exploits proliferate

'Hundreds of sites' locked and loaded

Updated Microsoft released an emergency security update for all versions of Internet Explorer on Thursday as attacks exploiting a critical vulnerability in the widely used browser spread to hundreds of websites.…

Network World on Security

The latest security news, analysis, reviews and feature articles from NetworkWorld.com.

Study: CISOs Keep Breach Costs Lower

The latest "Cost of a Data Breach" survey from the Ponemon Institute finds companies with a CISO are better able to handle loss of sensitive information.

Stop 11 Hidden Security Threats

Do you know how to guard against scareware? How about Trojan horse text messages? Or social network data harvesting? Malicious hackers are a resourceful bunch, and their methods continually evolve to target the ways we use our computers now. New attack techniques allow bad guys to stay one step ahead of security software and to get the better of even cautious and well-informed PC users.

Chinese human rights sites hit by DDoS attack

Five Web sites run by Chinese human rights activists were attacked by hackers over the weekend, as a separate row continued between Google and China over political cyberattacks.

China rejects accusations on Google hack, Internet freedom

China on Monday dismissed accusations of any official involvement in hacking attacks on Google and other U.S. companies, adding to tension between the two countries over the issue.

Netgear targets SMB market with new security tool

Netgear's new security appliance takes on SMB stalwarts such as Fortinet and Barracuda by including key functions of antispam, antimalware, and Web content filtering into a single unit combining easy deployment and budget-preserving pricing.

HP unveils extensive security services package

HP Monday announced an extensive security-services portfolio that includes more than 90 basic offerings for application, identity and access management security to business continuity, cloud computing and managed services aimed at businesses and government.

Facebook users offered free spam 'firewall'

Security vendor Websense if offering Facebook users and businesses a new ‘firewall' service that monitors their pages for malicious posts, links and spam.

Acronis makes online backup service available to all

Acronis has made its online back-up service available as a stand-alone product.

China hacks used as lure for more targeted attacks

Malicious hackers have begun using the recent cyberattacks against Google and more than 30 other companies as lures for launching even more targeted attacks, security firm F-Secure said in a blog post today.

Botnets: 'The Democratization of Espionage'

The cyber attacks against Google, Adobe and a raft of other top U.S. corporations late last year were by most accounts sophisticated and targeted attempts to steal proprietary data. But lost in all of the resulting media hoopla over who the remaining victims were and whether Chinese hackers or indeed the Chinese government itself were responsible is the simple, terrifying truth that individual hackers now have access to the same arsenal of cyber weapons once reserved only for nation states.

Microsoft assurance on IE vulnerability

Microsoft has moved to reassure users and the corporate world that everything possible is being done to address concerns about an Internet Explorer (IE) vulnerability, after the attacks on Google and other companies in China.

RealPlayer fix addresses 11 security bugs

US-CERT is advising users to upgrade their RealPlayer software after the company patched 11 security bugs.

Cyber criminals target online activities of Asians

Social networking sites and online banking are very popular across the world but their users are now looking for better identity protection, according to the 2010 global online consumer security survey by RSA, the security division of EMC.

Baidu lawsuit: Register.com rep refused aid after hack

Chinese search engine Baidu.com was stranded without technical support from its U.S. domain registrar immediately after being hacked last week, Baidu has alleged in its lawsuit against the registrar.

TOR issues updated software after server breach

The TOR Project is advising users to upgrade to a new version of the software following a hack that compromised three of its servers.

Creating Secure Passwords You Can Remember

Microsoft Chairman Bill Gates declared the password dead. He told his audience that the password can't meet the challenge of keeping sensitive information protected, saying "People use the same password on different systems, they write them down and they just don't meet the challenge for anything you really want to secure."

Users on hacked site used 'trivial' passwords

The hackers who stole and published 33 million passwords from the Rockyou.com website in December needn't have bothered, a security company has revealed. Many of them were so trivial they could have been guessed anyway.

IE attacks pose small threat to U.S., big risk to China

Security researchers say that the hackers exploiting an Internet Explorer bug are far more likely to hit Chinese computers users than those in the U.S. The hackers are believed to be working from China.

Europe's spam war hits stalemate

Europe's ISPs are just about holding their own against the global spam barrage, a Europe-wide report has found. Put another way, things are not getting better, but they are not getting any worse either.

Web users warned about hoax Amazon emails

Web users are warned about hoax emails claiming to be from etailer Amazon.

Emergency Internet Explorer patch available

Microsoft's emergency Internet Explorer 6 patch will be available from 6pm UK time. Facebook has begun warning members logging in to its social network site using Internet Explorer to update to the latest version of the web browser.

Google's China Challenge: How It Came to This

Google's getting some moral support from the government in its decision to stop censoring search in China.

Enterprises look to service providers for help managing security logs

Managed SIM services started to gain momentum over the past two years, largely due to compliance mandates such as the Payment Card Industry data security requirements.

Microsoft patches IE, admits it knew of bug last August

As Microsoft patched the Internet Explorer zero-day used to break into Google's network, it acknowledged that it had known of the bug since August 2009, when an Israeli security company reported the flaw.

Emergency Microsoft Update Fixes IE Zero-day

Microsoft today released a rare patch outside of its normal monthly update cycle to fix an under-attack zero-day security hole in Internet Explorer.

Widespread attacks exploit newly patched IE bug

The first widespread attack to leverage a recently patched flaw in Microsoft's Internet Explorer browser has surfaced.

Users still make hacking easy with weak passwords

In a report likely to make IT administrators tear out their hair, most users still rely on easy passwords, some as simple as "123456," to access their accounts.

80% of government Web sites miss DNS security deadline

Most U.S. federal agencies -- including the Department of Homeland Security -- have failed to comply with a Dec. 31, 2009, deadline to deploy new authentication mechanisms on their Web sites that would prevent hackers from hijacking Web traffic and redirecting it to bogus sites.

Mobile router hacked to reveal user's location

A user of Novatel Wireless's MiFi ‘portable Wi-Fi' hotspot appears to have stumbled on a security flaw that could allow an outsider to work out a user's location without their knowledge.

Microsoft to issue emergency IE patch Thursday

Microsoft will release its emergency patch for Internet Explorer (IE) on Thursday, the company said, as it also admitted that attacks can be hidden inside rigged Office documents.

Controversial App Provides Background Checks On the Go

Online privacy is a constant and growing concern as the evolving landscape of Web sites and services erode the traditional expectations of privacy. A new app from BeenVerified is adding even more controversy to the privacy dilemma by enabling users to conduct background checks on anyone in a matter of seconds from their iPhone.

Heartland's settlement offer not enough, lawyers say

Lawyers representing financial institutions in a data breach lawsuit against Heartland Payment Systems Inc are calling a recently proposed $60 million settlement offer from the company as way too meager.

Clinton: US gov't will push harder against Web censorship

The U.S. Department of State will launch several new initiatives focused on fighting Internet censorship, including working with businesses and other groups to develop mobile applications that help residents of countries with repressive governments report problems, U.S. Secretary of State Hillary Clinton said Thursday.

Clinton to challenge Internet censorship in policy address

U.S. Secretary of State Hillary Clinton will raise the issue of Google's ongoing battles in China in a broad policy address on Internet freedom she plans to make Thursday in Washington, D.C.

Mobile router hack reveals user's location

A user of Novatel Wireless's MiFi ‘portable Wi-Fi' hotspot appears to have stumbled on a security flaw that could allow an outsider to work out a user's location without their knowledge.

Microsoft Security Bulletin Coming for IE Zero-Day

Microsoft announced today that security bulletin MS10-002 will be released on Thursday--almost three weeks ahead of the next regularly-scheduled Patch Tuesday update. MS10-002 has a cumulative risk rating of Critical and it is being released out-of-band to address the zero-day exploit at the heart of the China attacks on Google, which is now circulating in-the-wild.

Microsoft confirms 17-year-old Windows bug

Microsoft warns that a bug in the kernel of a 32-bit windows versions could allow hackers to hijack PCs. The company said the bug is 17-years old.

McAfee Avert Labs

Cutting edge security research as it happens.......

Scams Take Advantage of Haiti Relief Efforts

By Sam Masiello on Web and Internet Safety

Never is the heartless nature of cybercriminals more apparent than in the wake of a tragedy. As relief efforts continue and worldwide aid pours in to help those affected by the earthquake that rocked Haiti on January 12, cybercriminals have not slowed their efforts. They are eager to get you to donate money that the people [...]

Patch Released for Recent Microsoft Zero Day (CVE-2010-0249)

By Craig Schmugar on Zero-Day

Microsoft has released Security Bulletin MS10-002, regarding Internet Explorer vulnerabilities. In addition to patching the flaw exposed by Operation Aurora, the company released patches for seven other vulnerabilities. We are aware of reports of private CVE-2010-0249 exploits impacting Internet Explorer 7 and 8 (though these are mitigated with ASLR and DEP). Historically, the odds of private exploits [...]

InSecurity Complex

Keeping tabs on flaws, fixes, and the people behind them.

StopBadware goes nonprofit with funding from Google, others

By Elinor Mills

Four-year-old anti-malware effort leaves Harvard's Berkman Center to become standalone nonprofit.

Survey: Data breaches from malicious attacks doubled last year

By Elinor Mills

Ponemon survey of U.S. companies discloses its first reports that data-stealing malware caused breaches.

Router glitch cripples California DMV network

By Elinor Mills

California workers resort to pen and paper during two-hour network outage at the Department of Motor Vehicles.

Facebook plugs friends list mobile leak

By Elinor Mills

Facebook fixes setting on Facebook's mobile site so strangers can't see other peoples' friends list.