Friday, January 29, 2010

Around The Horn vol.2,4

Zero Day

Tracking the hackers

Bogus IQ test with destructive payload in the wild

By Dancho Danchev on Windows Vista

Researchers from ESET and BitDefender have intercepted two destructive malware variants (Win32/Zimuse.A, Win32/Zimuse.B/zipsetup.exe), posing as an IQ test, and currently spreading in the wild.

Yahoo!%20News

Yahoo! News: Security News

Security News

Scammers Hop on iPad Bandwagon (PC World)

In technology

PC World - iPad search results may contain poisoned links that lead to rogue antivirus software, as fraudsters unleash a favorite malware-pushing tactic.

Google attack highlights 'zero-day' black market (AP)

In technology

In this photo made Saturday, Jan. 23, 2010, a Microsoft Internet Explorer browser displays the Google Web site as men work on computers in Beijing, China. (AP Photo/Ng Han Guan)AP - The recent hacking attack that prompted Google's threat to leave China is underscoring the heightened dangers of previously undisclosed computer security flaws — and renewing debate over buying and selling information about them in the black market.

Power plants, other infrastructure face hackers (AP)

In technology

AP - More than half of the operators of power plants and other "critical infrastructure" say in a new study that their computer networks have been infiltrated by sophisticated adversaries. In many cases, foreign governments are suspected.

Startpage launches anonymous Web search service (Reuters)

In technology

Reuters - Search-engine company Startpage launched a service allowing users concerned about privacy to carry out Web searches and click on linked pages without being identified, tracked or recorded.

Malware Aims to Evade Windows 7 Safeguards (PC World)

In technology

PC World - Experts agree that Windows 7 has enhanced security to ward off attacks on vulnerabilities in old software. But what if a money-minded online scammer can persuade you to download malware onto your PC?

Malware research group spins off from Harvard (AP)

In technology

AP - A research organization that tries to warn computer users about programs that do sneaky things on their computers has spun off from Harvard University.

Google Toolbar Tracks Some Browsing Even When It's Not Supposed To (PC World)

In technology

PC World - A bug in Google Toolbar has resulted in the search giant receiving information about users' Web surfing in violation of the product's privacy policy, according to an anti-spyware and privacy researcher. In a report to be released Tuesday, Ben Edelman, an assistant professor at Harvard Business School, shows that under certain circumstances the Google Toolbar (versions 6.3 and above) tracks the browser habits of Internet Explorer 8 users who have activated the toolbar's "enhanced features" even when the toolbar is turned off or disabled.

IPhone Hacker Says He's Also Cracked PlayStation 3 (PC World)

In technology

PC World - The 20-year-old hacker best known for cracking Apple's iPhone says he's done it again, this time with Sony's PlayStation 3.

Google Toolbar Still Spies When Told Not To (PC Magazine)

In technology

PC Magazine - Spyware researcher Ben Edelman details tests which show that, even after the user disables "Google Toolbar" using the IE Manage Add-ons feature, it continues to report on a user's actions.

Researcher to Reveal More Internet Explorer Problems (PC World)

In technology

PC World - Microsoft's Internet Explorer could inadvertently allow a hacker to read files on a person's computer, another problem for the company just days after a serious vulnerability received an emergency patch.

WindowSecurity.com

WindowSecurity.com

WindowSecurity.com provides Windows security news, articles, tutorials, software listings and reviews for information security professionals.

Authenex ASAS - Voted WindowSecurity.com Readers' Choice Award Winner - Authentication & Smart Cards

By info@WindowSecurity.com (The Editor)

Authenex ASAS was selected the winner in the Authentication & Smart Cards category of the WindowSecurity.com Readers' Choice Awards. Aladdin eToken and Smart Enterprise Guardian were runner-up and second runner-up respectively.

Configuring Advanced IE Settings Using Group Policy

By (Derek Melber)

What is involved in the Advanced Security settings in IE and how best to configure each one.

How I Cracked your Windows Password (Part 1)

By (Chris Sanders)

How Windows creates and stores password hashes and how those hashes are cracked.

TaoSecurity

Richard Bejtlich's blog on digital security and the practices of network security monitoring, incident response, and forensics.

Review of Professional Penetration Testing Posted

By Richard Bejtlich

http://ecx.images-amazon.com/images/I/41qVJtNhmtL._AA200.jpgAmazon.com just posted my three star review of Professional Penetration Testing by Thomas Wilhelm. From the review:
I had fairly high hopes for Professional Penetration Testing (PPT). The book looks very well organized, and it is published in the new Syngress style that is a big improvement over previous years. Unfortunately, PPT should be called "Professional Pen Testing Project Management." The vast majority of this book is about non-technical aspects of pen testing, with the remainder being the briefest overview of a few tools and techniques. You might find this book useful if you either 1) know nothing about the field or 2) are a pen testing project manager who wants to better understand how to manage projects. Those looking for technical content would clearly enjoy a book like Professional Pen Testing for Web Applications by Andres Andreu, even though that book is 3 years older and focused on Web apps. This is my 300th Amazon.com book review. I wish I had planned the review schedule such that I reviewed a five star book for number 300.
I reported my 200th book review for Building an Internet Server With FreeBSD 6 in August 2006.

Copyright 2003-2009 Richard Bejtlich and TaoSecurity (taosecurity.blogspot.com and www.taosecurity.com)https://blogger.googleusercontent.com/tracker/4088979-5397471572750108021?l=taosecurity.blogspot.com

Energy Sector v China

By Richard Bejtlich

The aftershocks of Google v China continue to rumble as more companies are linked to the advanced persistent threat. Mark Clayton from the Christian Science Monitor wrote a story titled US oil industry hit by cyberattacks: Was China involved? I found these excerpts interesting.
At least three US oil companies were the target of a series of previously undisclosed cyberattacks that may have originated in China and that experts say highlight a new level of sophistication in the growing global war of Internet espionage.
The oil and gas industry breaches, the mere existence of which has been a closely guarded secret of oil companies and federal authorities, were focused on one of the crown jewels of the industry: valuable “bid data” detailing the quantity, value, and location of oil discoveries worldwide...
The companies – Marathon Oil, ExxonMobil, and ConocoPhillips – didn’t realize the full extent of the attacks, which occurred in 2008, until the FBI alerted them that year and in early 2009. Federal officials told the companies proprietary information had been flowing out, including to computers overseas...
“What these guys [corporate officials] don’t realize, because nobody tells them, is that a major foreign intelligence agency has taken control of major portions of their network,” says the source familiar with the attacks. “You can’t get rid of this attacker very easily. It doesn’t work like a normal virus. We’ve never seen anything this clever, this tenacious...”
Many experts say the theft of this kind of information – about, for instance, the temperature and valve settings of chemical plant processes or the source code of a software company – can give competitors an advantage, and over time could degrade America’s global economic competitiveness...
Even more basic, many corporate executives aren’t aware of how sophisticated the new espionage software has become and cling to outdated forms of electronic defense...
[B]ased on the kind of information that was being stolen, federal officials said a key target appeared to be bid data potentially valuable to “state-owned energy companies...”
China would certainly be interested in this kind of data, experts say. With the country’s economy consuming huge amounts of energy, China’s state-owned oil companies have been among the most aggressive in going after available leases around the world, particularly in Nigeria and Angola, where many US companies are also competing for tracts...
“What I’m saying to you is that it’s not just the oil and gas industry that’s vulnerable to this kind of attack: It’s any industry that the Chinese decide they want to take a look at,” says an FBI source. “It’s like they’re just going down the street picking out what they want to have.”

Expect more denials from party spokesmen in China.

Copyright 2003-2009 Richard Bejtlich and TaoSecurity (taosecurity.blogspot.com and www.taosecurity.com)https://blogger.googleusercontent.com/tracker/4088979-2644784305655532719?l=taosecurity.blogspot.com

SecurityFocus

SecurityFocus News

SecurityFocus is the most comprehensive and trusted source of security information on the Internet. We are a vendor-neutral site that provides objective, timely and comprehensive security information to all members of the security community, from end users, security hobbyists and network administrators to security consultants, IT Managers, CIOs and CSOs.

Brief: Cyberattacks from U.S. "greatest concern"

Cyberattacks from U.S. "greatest concern"

Security - Security News

The Art of Technology

Security researchers blast credit card verification system

By segphault@arstechnica.com (Ryan Paul) on Security

http://static.arstechnica.com/assets/2009/02/credit-card-lock-thumb-230x130-2463-f.jpg

Some credit card companies use a system called 3-D Secure (3DS) that adds an extra step to transactions that are carried out on the Internet. Visa and MasterCard tout their security, but researchers are questioning their efficacy.

When making a purchase, online shoppers are confronted with a validation check that requires them to supply a password—in addition to the standard security code that is on the card itself—in order to prove that they are the real owner of a credit card. Systems built on 3DS are better known by their brand names, which include Verified by Visa and MasterCard SecureCode.

Read the rest of this article...

Researchers jail spam bots, reverse engineer their payload

By jtimmer@arstechnica.com (John Timmer) on spam

http://static.arstechnica.com/assets/2009/11/botnet_spam_ars-thumb-230x130-9717-f.jpg

If you have access to a server-side spam mailbox, you're likely to find it filled with sets of messages that are variations on a theme: similar products, similar sites offering them, but a dizzying variety of variations in the precise wording. According to security researchers, there's a simple reason for this: to simplify out spam campaigns to a botnet, spammers are using templates for messages, with the variations in the body created by text macros that insert random characters or words from a limited dictionary (think Mad Libs meets Viagra). Now, researchers are turning this feature against the spammers by creating software, called Botnet Judo, that uses collections of spam to reverse-engineer the template, then filters anything that matches it.

In a few cases, such as the Storm botnent, which the researchers have worked on previously, security experts have been able to reconstruct the use of templates and macros. The material is generally sent by the botnet's command and control system, and then used to generate hundreds of thousands of messages. In some cases, the macros simply produce random characters in specific locations in the body or header information. In others, it places a word from a limited dictionary in specific locations—the paper describing Botnet Judo gives the example of placing one of "gucci", "prada", or "chanel" in a specific location of a spam for counterfeit luxury goods.

Read the rest of this article...

Google: Toolbar data persistence a bug, fix available

By jtimmer@arstechnica.com (John Timmer) on Software

http://static.arstechnica.com/assets/2009/03/google-sauron-eyes-thumb-230x130-3118-f.jpg

Google's Toolbar for Internet Explorer and Firefox serves as a gateway to a variety of software services provided by the search giant, many of which require a user to provide Google with information on the site that's currently displayed in the browser. A Harvard professor that focuses on spyware issues has now discovered that this information continues to be sent in to Google even if the Toolbar is inactivated.

The academic in question, Benjamin Edelman, starts with a full disclosure of his conflicts of interest: he consults for Google competitors such as Microsoft and has been involved in a lawsuit against the company. None of that necessarily alters the basics of his findings, which are extensively documented, but it may influence how they're presented.

Read the rest of this article...

etc: TechCrunch was down for a couple of hours last night after being attacked by hackers. Visitors were greeted by a link to pornographic content.

In @etc

TechCrunch was down for a couple of hours last night after being attacked by hackers. Visitors were greeted by a link to pornographic content.

Read More:TechCrunch, BBC

One day after latest fix, Microsoft investigates new IE flaw

By p_emil@hotmail.com (Emil Protalinski) on internetexplorer

A day after releasing an out-of-band security bulletin for a vulnerability in Internet Explorer notably exploited in the recent series of Chinese-based attacks against Google and 30 other tech companies, new flaws have been discovered in Microsoft's browser.

Boston-based research firm Core Security Technologies has outlined a set of vulnerabilities in Internet Explorer that hackers can link together to remotely exploit a Windows PC. None of the vulnerabilities are serious enough to compromise a machine alone, but a hacker could take control of a PC by exploiting all of them at once. "There are three or four ways to conduct this type of attack," Jorge Luis Alvarez Medina, a security consultant with Core, told Reuters, though he admitted he was uncertain whether any hackers had already exploited his findings.

"Microsoft is investigating a responsibly disclosed vulnerability in Internet Explorer," a Microsoft spokesperson told Ars. "We're currently unaware of any attacks trying to use the vulnerability or of customer impact, and believe customers are at reduced risk due to responsible disclosure."

After the investigation, Microsoft will either provide a security update on Patch Tuesday, or an out-of-cycle update like it did with the last IE flaw (less likely in this case). The Microsoft spokesperson took the opportunity to make the now-familiar recommendations that IE users upgrade to Internet Explorer 8 and to enable Automatic Updates.

Medina plans to demonstrate the IE vulnerabilities at the Black Hat security conference in Washington, which begins February 2, but until then he will work with Microsoft to find a way to mitigate the risk. Still, he believes that other related vulnerabilities will crop up even after fixes are found to the ones he unearthed.

Security - RSS Feeds

Security - RSS Feeds

Apple iPhone App Security in Spotlight at Black Hat

At the upcoming Black Hat DC security conference, software engineer Nicolas Seriot will focus on security and privacy issues involving third-party applications developed for the Apple iPhone.
- A software engineer is highlighting the challenges facing mobile application stores in an upcoming presentation at Black Hat DC. In his presentation Feb. 3, software engineer Nicolas Seriot will focus on applications for the Apple iPhone, and how Apple's guarantees of privacy and applications ca...

Symantec's Consumer Business Led Way in Q3

IT security company Symantec reports a jump in its consumer business in the fiscal third quarter.
- Symantec reported $1.551 billion in revenues in the third quarter of fiscal 2010, due in part to growth in its consumer business. The company reported GAAP net income of $300 million for the quarter, compared with a $6.82 billion loss for the same quarter the previous year. About 31 percent ...

Nebraska Man Admits DDoS Attack on Church of Scientology

A Nebraska man confessed to his role in a distributed denial of service (DDoS) attack targeting Websites for the Church of Scientology.
- A Nebraska man agreed this week to plead guilty in connection with attacks on Web sites for the Churchof Scientology, becoming the second person to do so since the investigation began. Brian Thomas Mettenbrink of Grand Island, Neb., will plead guilty to the misdemeanor charge of u...

10 Internet Access, Security, Privacy Threats for 2010

The Electronic Frontier Foundation was busy in 2009, picking on companies it believes crept a little too close to people's privacy comfort zones. The EFF took on Google over the Google Book Search deal and the Google Latitude mobile social networking application, among other topics. As we go deeper into 2010, Tim Jones, the EFF's activism and technology manager, said the EFF has several concerns on its action list, which it plans to revisit in December 2010 to see what transpired over the course of the year. eWEEK walks through these issues in this slide show, mixing up the EFF's original order for some consistency.

Google Chrome 4 Bolsters Browser Security with New Features

Google is touting three new security features added to the latest version of its Chrome browser, including new protections against reflective cross-site scripting.
- Google has beefed up the latest version of its Chrome browser with new security protections designed to help developers build secure Websites. In Chrome 4, which was released Jan. 25, Google added three new security features: strict transport security, cross-origin communication with postMess...

IT Security Spending Expected to Increase for Enterprises, SMBs

Roughly 40 percent of enterprises and small and midsize businesses plan to increase security spending, with both groups paying particular attention to data security, network security and managed services, according to Forrester Research.
- Two new reports from Forrester Research project that roughly 40 percent of enterprises and small and midsize businesses plan to increase their IT security budgets in 2010. The reports, released Jan. 25, found other commonalities: A large percentage of both groups expect spending on network s...

Data Breaches Cost More if Enterprises Move Too Fast

Acting too quickly after a data breach can cost companies even more money, the Ponemon Institute reports.
- Data breaches are not getting any cheaper to deal with, and companies that jump the gun on notifications can end up paying the most. In its fifth annual study on data breaches, the Ponemon Institute discovered that about 36 percent of participants notified their breach victims within one month,...

HP Unveils New Security Services Portfolio

HP is rolling out its new Security, Compliance and Continuity Services portfolio aimed at helping businesses and government agencies reduce the cost and complexity of their security initiatives by offering a tightly integrated set of services that span traditional settings and cloud computing environments. HP officials said the new portfolio is the latest step in their efforts to compete more closely with services king IBM.
- Hewlett-Packard is wielding the strength gained from its $13.9 billion acquisition of EDS in creating an extensive package of security services that touches on everything from hardware to cloud computing to applications. The HP Security, Compliance and Continuity Services portfolio, announced J...

SecuriTeam.com

SecuriTeam

Welcome to the SecuriTeam RSS Feed - sponsored by Beyond Security. Know Your Vulnerabilities! Visit BeyondSecurity.com for your web site, network and code security audit and scanning needs.

Publique! CMS and SQL Injection Vulnerabilities

A remotely exploitable vulnerability was found in the framework core component. Exploitation of this bug does not require authentication and will lead to remotely exposed potentially sensitive information from the Publique! database. Particularly, an attacker can extract usernames and passwords needed to authenticate to the administrative interface and gain full control of the web site and (depending on certain conditions) the server itself.

LedgerSMB Multiple Vulnerabilities

It has been brought to our attention that a number of security vulnerabilities have been noted in SQL-Ledger. Several of these affect earlier versions of LedgerSMB, and three hotfixes have been released for problems that continue to affect the LedgerSMB codebase.

Files2Links F2L-3000 SQL Injection Vulnerability

The login page of the F2L-3000 version 4.0.0 is vulnerable to SQL Injection. Exploitation of the vulnerability may allow attackers to bypass authentication and access sensitive information stored on the device.

SearchSecurity.com

SearchSecurity: Security Wire Daily News

The latest information security news on IT threats, vulnerabilities and market trends from the award-winning SearchSecurity.com.

SCADA system, critical infrastructure security lacking, survey finds

By Robert Westervelt

IT and security executives at firms that own critical infrastructure facilities are concerned about the lack of security protecting underlying management systems from attack.

MA 201 CMR 17 enforcement less likely with prompt reporting, cooperation

By Eric B. Parizo

The official charged with enforcing the MA 201 CMR 17 data protection law says early reporting of potential breaches and cooperation will help firms avoid enforcement action.

No major PCI DSS revision expected in 2010

By Robert Westervelt

The next revision of PCI DSS will contain clarifications, but no major revisions, according to Bob Russo, general manager of the PCI Security Standards Council.

PCI QSAs, certifications to get new scrutiny

By Robert Westervelt

The PCI Security Standards Council now has a team of five reviewing PCI assessments for inconsistencies and has increased funding for its QSA oversight program.

SANS%20RSS%20Feed

SANS NewsBites

All Stories From Vol: 12 - Issue: 7

Major US Oil Companies' Networks Infiltrated by Spies (January 25, 2010)

Three major US oil companies were targeted by sophisticated espionage attacks in 2008; they were unaware of the scope of the problem until the FBI notified them in late 2008 and in 2009.......

No Easy Deterrent for Cyber Warfare (January 26, 2009)

In a far ranging and insightful article, New York Times reporters Thom Shanker, David Sanger, and John Markoff analyze the United States' currents capabilities in deterring cyber attacks.......

Chinese Human Rights Sites Hit With DDoS Attack (January 25, 2010)

Over the weekend, five Chinese human rights groups, including the Chinese Human Rights Defenders, experienced attacks on their websites.......

Google Attack Fallout Underscores China's Culture of Censorship and Surveillance (January 25, 2010)

The recent disclosure of cyber attacks on Google and other US companies and the allegations that they originated in China has shined a spotlight on China's practices of surveillance and censorship that have been requirements for multinational companies wanting to conduct business in that country.......

China Denies Hacking Allegations; Accuses US (January 23 & 25, 2010)

The Chinese government has categorically denied allegations that it is behind a series of attacks on Google and other American companies.......

Study Shows US $100,000 Increase in Costs Associated With Average Breach (January 25, 2010)

According to a study from the Ponemon Institute, the costs associated with data security breaches rose US $100,000 between 2008 and 2009, from US $6.......

Judge Reduces Penalty in Jammie Thomas-Rasset Filesharing Case (January 22 & 25, 2010)

A US District Court judge in Minnesota has reduced the monetary penalty imposed on Jammie Thomas-Rasset for illegal filesharing from nearly US $2 million to US $54,000.......

Thomas-Rasset Case Offers Glimmer of Hope to BU Student (January 25, 2010)

Boston University graduate student Joel Tenenbaum is cautiously hopeful that the significant reduction of damages levied against Jammie Thomas-Rasset will prompt the judge in his case to reduce the US $675,000 fine he is facing for illegal filesharing.......

Ladbrokes Data Breach (January 24 & 25, 2010)

A man claiming to represent a Melbourne, Australia company provided UK newspaper The Mail on Sunday with the names and other personal details of 10,000 people who were customers of the Ladbrokes bookmaking company and offered to sell them a database of information on 4.......

Italian Government Considering Law That Would Require Monitoring of Internet Content (January 22, 2010)

Italian Prime Minister Silvio Berlusconi's government has proposed legislation that would require all video uploaded to YouTube, blogs and news media outlets to be vetted for pornographic or excessively violent content.......

RealPlayer Update (January 19 & 22, 2010)

RealNetworks has issued a security update to address 11 vulnerabilities in its RealPlayer media player.......

Boards.ie User Data Compromised (January 22, 2010)

Boards.......

People Leaving USB Drives in Clothing Pockets, Say Cleaners (January 20, 2010)

A UK survey found that 4,500 USB drives have been found in people's clothing pockets when they were taken to dry cleaners.......

SANS%20Internet%20Storm%20Center,%20InfoCON%3A%20green

SANS Internet Storm Center, InfoCON: green

Analyzing isc.sans.org weblogs, part 2, RFI attacks, (Fri, Jan 29th)

The 2nd part of the Weathering the Storm blog series is now live [1]. In this series, I ...(more)...

Symantec generating a False Positive on Flash Player installer, (Thu, Jan 28th)

If you are running Symantec antivirus, and trying to install Flash, and the Installer is being flagg ...(more)...

Wireshark Version 1.2.6 is out: http://www.wireshark.org/docs/relnotes/wireshark-1.2.6.html, (Thu, Jan 28th)

-- Joel Esler | http://blog.joelesler ...(more)...

Cisco Security Advisory: Multiple Vulnerabilities in Cisco Unified MeetingPlace, (Thu, Jan 28th)

Just wanted to call attention these patches released today:http://www.cisco ...(more)...

Active SEO poisoning attacks for hot topics, (Wed, Jan 27th)

In the past we have already covered how attackers are using SEO(Search Engine Optimization)&nb ...(more)...

Nmap 5.21 released (nmap.org): bug-fix only release., (Wed, Jan 27th)

-- Raul Siles www.raulsiles ...(more)...

Command Line Kung Fu, (Wed, Jan 27th)

A while ago I realized we've never mentioned the Command Line Kung Fu blog on the ISC diary. It is a ...(more)...

European Union Security Challenge (Campus Party 2010), (Wed, Jan 27th)

The Campus Party Europe 2010 (http://www.campus-party ...(more)...

Google Chrome v4.0.249.78 Released: http://googlechromereleases.blogspot.com/2010/01/stable-channel-update_25.html, (Wed, Jan 27th)

-- Raul Siles www.raulsiles ...(more)...

e107 CMS system website compromised, (Tue, Jan 26th)

The website of e107 CMSsystem was found to be compromised, directing users to malware site but ...(more)...

VMware vSphere Hardening Guide Draft posted for public review, (Tue, Jan 26th)

VMware announces the first draft of the vSphere Hardening Guide, posted for public comment. A ...(more)...

"Bots and Spiders and Crawlers, be gone!" - or - "New Open Source WebAppSec tools, Huzzah!", (Mon, Jan 25th)

Do you manage Apache based web server farms with Web Application Firewall (WAF) requirements that re ...(more)...

SANS%20RSS%20Feed

SANS Information Security Reading Room

Last 25 Computer Security Papers added to the Reading Room

The Evolving Role of Security Structures

Category: Management & Leadership

Paper Added: January 28, 2010

Capturing and Analyzing Packets with Perl

Categories: Intrusion Detection,Scripting Tips,Tools

Paper Added: January 28, 2010

Winquisitor: Windows Information Gathering Tool

Categories: Incident Handling,Tools

Paper Added: January 19, 2010

The%20Register

The Register - Security

Biting the hand that feeds IT

Critical infrastructure execs fear China
But they fear the US more

Operators of electrical grids, telecommunications networks, and other critical infrastructure say their systems are under constant attack, often from sophisticated nation-states, according to a poll of 600 IT executives in 14 countries who oversee such networks.…

Symantec slaps Trojan alert against Spotify
Scanner turns song software slayer

Symantec has apologised over a cock-up that resulted in the incorrect classification of streaming music service Spotify as a Trojan on Thursday.…

Congressional websites befouled by mucky-mouthed hackers
Swear splatter follows State of the Union address

A number of Congressional websites were defaced with abuse aimed at President Obama following Wednesday's State of the Union address.…

Japanese biometric border check no match for, um, tape
Caught sticky handed

Japan's million-dollar biometric immigration screening systems are still no match for a little ingenuity - and some tape.…

IE Windows vuln coughs up local files
One click bares entire C drive

If you use any version of Internet Explorer to surf Twitter or other Web 2.0 sites, Jorge Luis Alvarez Medina can probably read the entire contents of your primary hard drive.…

Phantom app risk used to bait scareware trap
The non-threat with no name

Scareware scammers are staking advantage of rumours about an "unnamed app" that supposedly poses a security risk to Facebook users in order to trick users into sites slinging rogue security software packages.…

Potty mouth hackers pwn TechCrunch (again)
This time it's personal

TechCrunch has been hit by potty-mouth hackers for the second time in 24 hours.…

Verified by Visa bitchslapped by Cambridge researchers
More about pushing blame than preventing fraud

Secondary credit card security systems for online transactions such as Verified by Visa are all about shifting blame rather then curtailing fraud, Cambridge University security researchers argue.…

Gates backs China in Google censorship spat
Uh, that's just what the Chinese do

Lovable, huggable ex-monopolist Bill Gates has more often than not found himself batting for China in a recent publicity drive as head of the Gates Foundation.…

Second US man admits DDoS attack on Scientology
Not so Anonymous after all

A Nebraska man has admitted he participated in a mass attack last year that briefly brought the Church of Scientology's website to its knees.…

Prolific hacker releases PlayStation exploit
Some memory-bus corruption required

On Monday, when we reported that the prolific hacker geohot had successfully penetrated the previously impervious PlayStation 3 gaming console, readers were understandably skeptical.…

Google Toolbar caught tracking users when 'disabled'
We'll ignore this window if you close it

Google has updated its browser toolbar after the application was caught tracking urls even when specifically "disabled" by the user.…

Defects in e-passports allow real-time tracking
This threat brought to you by RFID

Computer scientists in Britain have uncovered weaknesses in electronic passports issued by the US, UK, and some 50 other countries that allow attackers to trace the movements of individuals as they enter or exit buildings.…

StopBadware morphs into standalone non-profit
Anti-Malware Inc backed by Google and Mozilla

StopBadware, the anti-malware project started four years ago at Harvard University’s Berkman Center for Internet and Society, has spread its wings and become a standalone nonprofit corporation.…

Aurora-style attacks swiped oil find data from energy giants
Social networks implicated in planning Google assault

At least three US oil giants were hit by cyberattacks aimed at stealing secrets, in the months before the high-profile Operation Aurora attacks against Google, Adobe et al in December.…

'Aurora' code circulated for years on English sites
Where's the China connection?

Updated An error-checking algorithm found in software used to attack Google and other large companies circulated for years on English-speakinglanguage books and websites, casting doubt on claims it provided strong evidence that the malware was written by someone inside the People's Republic of China.…

'Cyber Genome Project' kicked off by DARPA
The code you write - it'll be as traceable as your DNA

Applecart-bothering Pentagon boffinry bureau DARPA is at it again. This time, the military scientists want to establish a "Cyber Genome" project which will allow any digital artifact - a document, a piece of malware - to be probed to its very origins.…

Smut-peddling hackers pwn TechCrunch
Tech site back up off the canvas

Updated Popular technology site TechCrunch was hit by potty-mouth hackers late on Monday, leaving the site temporarily unavailable.…

Oil companies hit by 'state' cyber attacks, says report
Petrol reserves data targeted

At least three US oil companies were victims of highly targeted, email-borne attacks designed to siphon valuable data from their corporate networks and send it abroad, according to a published report citing unnamed people and government documents.…

Once impenetrable PS3 cracked wide open
iPhone hacker: 'I have great power'

The first hacker to successfully jailbreak the iPhone says he has pulled off yet another modding marvel, this time penetrating the previously impervious PlayStation 3 gaming console.…

Kaspersky update slaps Trojan warning on Google Adsense
Tsk, you and your false positives

Updated An update to Kaspersky's popular anti-virus software on Monday falsely identified Google AdSense as a malicious script.…

Ladbrokes, police probe data breach
Millions of customer profiles for sale

Ladbrokes is investigating the loss of thousands of customer details from one of its databases, but is reassuring gamblers that the information did not include bank details or passwords.…

Slovak biker spat linked to rare destructive worm
Hi-tech equivalent of tyre-slashing spreads globally

A rare example of a destructive computer worm has been spotted on the web.…

http://www.networkworld.com/redesign2/logorss.gif

Network World on Security

The latest security news, analysis, reviews and feature articles from NetworkWorld.com.

DDoS attacks, network hacks rampant in oil and gas industry, other infrastructure sectors

Massive denial-of-service attacks and infiltration of corporate networks by attackers is a common experience for companies in critical infrastructure sectors, including financial services, energy, water, transportation and telecom.

Bugs and Fixes: Adobe Reader, Acrobat Come Under Fire

Adobe product security took another hit recently when reports surfaced of a zero-day attack against a critical vulnerability in the ubiquitous Adobe Reader.

Congressional Web sites hacked near Obama speech

More than two dozen Congressional Web sites have been defaced by the Red Eye Crew, a group known for its regular attacks on Web sites.

Will Cloud Computing Kill Privacy?

As cloud computing speeds ahead, privacy protections are too often being left in the dust.

Advance-fee fraud scams rise dramatically in 2009

People around the world continue to be duped by advance-fee frauds, with one Dutch private investigation company estimating the highest ever annual losses occurred in 2009.

Leading voice encryption programs hacked in minutes

Most voice encryption systems can be tapped in minutes by installing a voice-recording Trojan on the target computer, a security researcher has confirmed after testing a range of well-known products.

Malware Aims to Evade Windows 7 Safeguards

Experts agree that Windows 7 has enhanced security to ward off attacks on vulnerabilities in old software. But what if a money-minded online scammer can persuade you to download malware onto your PC?

Apple security threats exaggerated, report reveals

Apple's desktop computers experience little malware, a review of 2009 has found, but this is partly because attacks are starting to move to the company's other platforms such as the iPhone.

3D Secure online payment system not secure, researchers say

A widely deployed system intended to reduce on-line payment card fraud is fraught with security problems, according to University of Cambridge researchers.

Security, network management vendors add log, compliance capabilities

Security vendor Tripwire develops technology to take on security event and log management, while Ipswitch’s network management division WhatsUp Gold acquires Dorian Software to address customer compliance demands.

MoD staff leak military secrets on Facebook and Twitter

The Ministry of Defence has admitted that staff leaked secret information 16 times on social networking sites such as Facebook and Twitter over the past 18 months.

Brits accused of illegal file-sharing forking out £500

Hundreds of Brits are being forced to fork out £500 after wrongfully being accused of illegally downloading music and pornography files.

IMPERVAious to common sense

In December 2009, 32 million passwords stored without encryption on the Rockyou.com Web site were stolen and published on the Web for anyone to see. The security firm IMPERVA published a thorough analysis of these passwords to see how a large sample of users – not just those responding to a survey – actually manage their personal authentication.

PlayStation 3 hack released online

Days after announcing he'd managed to hack Sony's PlayStation 3 console to run his own software George Hotz has released the exploit online.

Bank files lawsuit against victim of $800,000 cybertheft

A Texas bank is suing a customer hit by an $800,000 cybertheft in a case that could test the extent to which customers should be held responsible for protecting their online accounts from compromises.

Canada needs cyber security czar: CATA Alliance

U.S. president Obama's appointment last December of a cyber security co-ordinator should be mirrored by the Canadian government if it wants to raise awareness of cyber security and leverage the security expertise that exists in Canada, according to the Canadian Advanced Technology Alliance (CATA Alliance).

WhatsUp Gold buys Windows security management vendor

WhatsUp Gold acquires Dorian Software to augment its network management software suite with security event and log management capabilities.

Review: Kingston's new USB drive offers public and encrypted partitions

Kingston recently unveiled a new version of its DataTraveler USB stick that includes the ability to create two partitions, one for public use and the other for secure data storage, a very handy feature.

Canadian bill tightens noose around identity thieves

A bill came into force last Friday that makes early stages of identity-related crime an offense in the Criminal Code, thereby granting Canadians greater protection against identity theft.

Smart phone security management a ripe market

The number of smart phones protected by advanced security software will increase fivefold over the next five years as IT departments seek out mobile device management services to deal with functionality that is more and more like that of the desktop, according to a recent report from ABI Research.

iPhone Hacker Cracks the PlayStation 3

Up to this point, just about every gaming console--from the Xbox 360 to the Nintendo DS--has been hacked in some way, usually to allow it to play pirated games. This excluded the PlayStation 3, which remained unhacked for over three years, leading many to believe that it is virtually impossible to hack.

Kaspersky false positive tags Google Adsense as Trojan

Following an update, Kaspersky Antivirus today falsely identified Google Adsense as a malicious script.

Nebraskan pleads guilty to 2008 Web attack on Scientologists

A 20-year-old man from Nebraska has agreed to plead guilty to charges stemming from a January 2008 attack on Web sites of the Church of Scientology.

Cisco, NetApp, VMware team up on virtualization security

Cisco, NetApp and VMware announced a project to improve the security of virtualization deployments, with a focus on isolating applications that use the same physical network, server and storage resources in multi-tenant systems.

Researcher to reveal more Internet Explorer problems

Microsoft's Internet Explorer could inadvertently allow a hacker to read files on a person's computer, another problem for the company just days after a serious vulnerability received an emergency patch.

Internal Investigations: The Basics

Internal investigations are a vital part of a security program. It's a serious matter when an employee is alleged to be violating company rules. So-called 'insider threats' can cause as much damage as thieves outside. These threats come in many different forms, including:

Student facing $675K music piracy fine hopeful award will be lowered

A federal judge's decision last week to reduce damages in a music piracy case has give a Boston University student reason to be optimistic that his $675,000 fine will be lowered.

Intego releases report on Mac, iPhone security for 2009

Security firm Intego has added to the bevy of year-in-review pieces for 2009 with a comprehensive report on Mac and iPhone security of the past year. While this may seem more than a little self-serving for the authors of VirusBarrier, the report is fair, comprehensive and hyperbole-free.

InSecurity Complex

Keeping tabs on flaws, fixes, and the people behind them.

Congressional sites defaced after Obama speech

By Elinor Mills

Third-party vendor manages 49 House of Representative Web sites that were hacked following president's address, and 18 that were defaced last year, report says.

Expert sees security issues with the iPad

By Elinor Mills

Security expert says things like strong encryption and an access control feature are missing from Apple's new iPad tablet device.

Report shows cyberattacks rampant; execs concerned

By Elinor Mills

Critical infrastructure networks are vulnerable to repeated, expensive attacks from adversaries and U.S. and China are seen as top potential aggressors, survey finds.

Report unearths targeted attacks on oil firms

By Elinor Mills

The Christian Science Monitor reports there is a China link in one of the attacks on three oil firms in 2008 that involved e-mails containing hyperlinks to spyware.

Report: Attackers sent Google workers IMs from 'friends'

By Elinor Mills

Attackers used social networks to research friends of employees with access to data and then posed as those friends, sending workers links to malware in instant messages, according to the Financial Times.

Report: Companies unprepared for cybercrime

By Elinor Mills

Hackers rated biggest threat by respondents, but nation-states and organized crime should not be disregarded, Deloitte study says.

Info Security News

Carries news items (generally from mainstream sources) that relate to security.

250, 000 White House Staffers, Visitors Affected by National Archives Data Breach

Posted by InfoSec News on Jan 28

http://www.wired.com/threatlevel/2010/01/national-archives-data-breach/
By Kim Zetter
Threat Level
Wired.com
January 27, 2010
A data breach at the National Archives and Records Administration is
more serious than previously believed. It involved sensitive personal
information of 250,000 Clinton administration staff members, job
applicants and White House visitors, as well as the Social Security
number of at least one daughter of former Vice...

TechCrunch hacked twice in 24 hours

Posted by InfoSec News on Jan 28

http://www.v3.co.uk/v3/news/2256848/techcrunch-hacked-again
By Phil Muncaster
V3.co.uk
27 Jan 2010
Security experts are warning webmasters to be on their guard, after
popular technology blog TechCrunch was hacked for the second time in 24
hours. Users were greeted this time with a four-letter tirade against
the site's founder, Michael Arrington.
The first hack happened at around 6am GMT yesterday morning, when
visitors saw a blank page...

Leading voice encryption programs hacked in minutes

Posted by InfoSec News on Jan 28

http://news.techworld.com/security/3211263/leading-voice-encryption-programs-hacked-in-minutes/
By John E. Dunn
Techworld
27 January 10
Most voice encryption systems can be tapped in minutes by installing a
voice-recording Trojan on the target computer, a security researcher has
confirmed after testing a range of well-known products.
Although this type of attack has been known about for some time, the
scale of the issue uncovered by...

A call for critical thinking about securing our electric grid

Posted by InfoSec News on Jan 28

http://fcw.com/articles/2010/01/27/cybereye-012510.aspx
By William Jackson
FCW.com
Jan 27, 2010
The electric power grid has emerged as one of the most critical elements
of our nation's critical infrastructure, and efforts to create an
interoperable Smart Grid with two-way communications and power flow are
highlighting the need for security. However, there also is a need for
more critical thinking about the grid’s vulnerability, according...

Cost Of Data Breaches Increased In 2009, Study Says

Posted by InfoSec News on Jan 28

http://www.darkreading.com/security/attacks/showArticle.jhtml?articleID=222500222
By Tim Wilson
DarkReading
Jan 26, 2010
The cost of data breaches continues to rise, and malicious attacks
accounted for more of them in 2009 than in previous years, according to
a study published today.
In conjunction with study sponsor PGP Corp., Ponemon Institute today
released the results of its fifth annual "U.S. Cost of a Data Breach"
report....

Oracle Sues Rimini Street For 'Massive Theft'

Posted by InfoSec News on Jan 28

http://www.informationweek.com/news/software/erp/showArticle.jhtml?articleID=222500155
By Paul McDougall
InformationWeek
January 26, 2010
The battle between Oracle and Seth Ravin is on again--and customers
might get caught in the crossfire.
InformationWeek has learned that the software maker on Monday filed a
lawsuit against Ravin's Rimini Street, Inc. for allegedly swiping Oracle
software and intellectual property so it can provide...

The DoD's very cloudy thinking over Gmail

Posted by InfoSec News on Jan 28

http://www.theregister.co.uk/2010/01/26/cloud_insecurity/
By Dan Olds
Gabriel Consulting
26th January 2010
In the wake of the Google vs. China dustup, we're starting to see some
discussion of the greater implications for computing, both in general
and the cloudy Google way.
The fact that some Gmail accounts were accessed by hackers looking for
dissidents raises some questions about the security of Gmail
specifically and the entire cloud...

For sale: Personal details of millions of Ladbrokes gamblers, offered to the MoS by a mysterious Australian

Posted by InfoSec News on Jan 25

http://www.dailymail.co.uk/news/article-1245622/For-sale-Personal-details-millions-Ladbrokes-gamblers.html
By Jason Lewis, Mail on Sunday Security Editor and Sandra White In Melbourne
24th January 2010
The confidential records of millions of British gamblers who bet with
top bookmaker Ladbrokes have been offered for sale to The Mail on
Sunday.
The huge data theft is now at the centre of a criminal investigation
after this newspaper was...

UMC: Patient info leaks likely date back to July

Posted by InfoSec News on Jan 25

http://www.lasvegassun.com/news/2010/jan/25/umc-patient-info-leaks-likely-date-back-july/
By Marshall Allen
Las Vegas Sun
Jan. 25, 2010
For more than three months someone at University Medical Center
illegally leaked the personal information of traffic accident victims -
a breach of social security numbers, birth dates and more that only
stopped when the Las Vegas Sun contacted the hospital about it,
according to a statement released today...

Without cyber response policies, U.S. can only denounce China attacks

Posted by InfoSec News on Jan 25

http://fcw.com/articles/2010/01/25/buzz-google-china-ultimatum.aspx
By John Zyskowski
FCW.com
Jan 25, 2010
When "The Official Google Blog" went public two weeks ago with news that
a cyberattack originating in China had targeted its corporate servers
and customers. e-mail accounts, including those of several human rights
activists, it served as the latest reminder of where U.S. and Chinese
national interests will increasingly...

US oil industry hit by cyberattacks: Was China involved?

Posted by InfoSec News on Jan 25

http://www.csmonitor.com/USA/2010/0125/US-oil-industry-hit-by-cyberattacks-Was-China-involved
By Mark Clayton
Staff writer
The Christian Science Monitor
January 25, 2010
Houston -- At least three US oil companies were the target of a series
of previously undisclosed cyberattacks that may have originated in China
and that experts say highlight a new level of sophistication in the
growing global war of Internet espionage.
The oil and gas...

Report: Attackers sent Google workers IMs from 'friends'

Posted by InfoSec News on Jan 25

http://news.cnet.com/8301-27080_3-10441004-245.html
By Elinor Mills
InSecurity Complex
CNet News
January 25, 2010
People behind the China-based online attacks of Google and other
companies looked up key employees on social networks and contacted them
pretending to be their friends to get the workers to click on links
leading to malware, according to a published report on Monday.
"The most significant discovery is that the attackers had...

Federal Computer Week: Security News

Cybersecurity regs seen as less restrictive in the U.S.

Some information technology executives in the U.S. also estimate that a major cyberattack would cost a company $6.3 million for one day of downtime.

New cybersecurity coordinator says he has the president’s ear

In his first public talk since taking the job, Howard Schmidt seeks to allay concerns about his influence in the White House.

A call for critical thinking about securing our electric grid

The nation’s electric power grid is a vital part of our critical infrastructure, but it might not be as vulnerable and fragile as it appears. One expert says it is more resilient than we give it credit for.

DARPA eyes digital fingerprints to track computer attacks

The Defense Advanced Research Projects Agency is holding a conference for those interested in helping with a project to use digital DNA to bolster cyber defense.

 

eWeek Security Watch

Phony AV Now Stalking Google Image Search

In Virus and Spyware

Rogueware campaigns have now reached into Google Image search results, researchers report.

Black Hat SEO Campaign Targets iPad

In SEO

Rogue security software purveyors are using interest in the Apple iPad to trick users into visiting malicious sites.

Unnamed App Stalks Facebook Users

In Virus and Spyware

Attackers are trying to lure Facebook users into infecting themsevles by circulating information about a nonexistent threat over the networking site in hopes that people go looking for information elsewhere and stumble upon poisoned URLs.

Where Art Thou Conficker?

In Virus and Spyware

Ever wonder where Conficker went to? It's still alive and kicking with the potential to make a comeback, experts note.

Hydraq Attack's Resiliency Uncovered

In multimedia

The massive Trojan campaign used fairly well known methods to keep itself alive on infected devices, Symantec reports.

Possible Worm Prank No Laughing Matter

In Virus and Spyware

A worm that may have started as a prank to target fans of a biker club has hit Windows computers around the world.

DarkReading - Security News

DarkReading

W. Ward Carey Elected to the Nocopi Technologies, Inc. Board of Directors
Cresting Wave and CityMint Partner to Boost Sales
Wigix.com, New High Tech Community-Driven Marketplace Names Former IBM Executive Nick Donofrio to Its Board
Stonebranch Launches Scribbos:Intellicrypt
Host.net Teams with StillSecure to Protect Cloud Computing Clients
The Billeo Offer Assistant's One-Click Discounts Earn Shoppers Cash Back From Banks, Credit Cards -- And Now Microsoft's Bing

 

DarkReading - All Stories

DarkReading

Black Hat DC: Researchers To Release Web Development Platform Hacking Tool

Tool tests for newly discovered class of vulnerabilities in popular Apache, Sun, Microsoft Web development platforms

Identity Thieves Successfully Targeting Wealthy Victims, Study Says

Affluent individuals who live "the good life" are 43 percent more likely to be victims of identity fraud, according to Experian study

Anatomy Of A Targeted, Persistent Attack

New report provides an inside look at real attacks that infiltrated, camped out, and stole intellectual property, proprietary information -- and their links to China

Cybersecurity Czar's First Two Weeks On The Job 'Non-Stop'

Howard Schmidt address Google attack in first public speech

Cost Of Data Breaches Increased In 2009, Study Says

Ponemon Institute research says cost of data breaches was up in 2009; malicious attacks are the most costly

New Attack Uses Internet Explorer's Own Features Against It

Microsoft investigating threat, considering patch or offering guidance for protection

Flaws In The 'Aurora' Attacks

Security experts say targeted attacks could have been much worse, point out strategic errors made by the attackers

 

Darknet%20-%20Hacking,%20Cracking%20%26%20Computer%20Security

Darknet - The Darkside

Ethical Hacking, Penetration Testing & Computer Security

Groundspeed 1.1 – Web Application Security Add-on For Firefox

By Darknet on website security testing

Groundspeed is an open-source Firefox extension for web application security testers presented at the OWASP AppSec DC 2009. It allows you to manipulate the web application’s user interface to eliminate annoying limitations and client-side controls that interfere with the web application penetration test. What can I do with...
Read the full post at darknet.org.uk

Playstation 3 (PS3) Finally Hacked & Exploit Released

By Darknet on ps3 exploit

Ah finally some proof of the mythical Playstation 3 exploit released publically. Sadly as always the lack of sales on the PS3 can be partially attributed to the lack of a homebrew scene (aka ability to pirate games). There have been rumours and some speculation about the PS3 finally being exploited with news breaking earlier this [...]
Read the full post at darknet.org.uk

Browser Fuzzer 3 (bf3) – Comprehensive Web Browser Fuzzing Tool

By Darknet on web-security

Browser Fuzzer 3, or bf3, is a comprehensive web browser fuzzer. Browser Fuzzer 3 is designed as a hybrid framework/standalone fuzzer; the modules it uses are extensible but also highly integrated into the core. bf3 can be used via command line to set all necessary flags for each fuzzing operation. After initialization, bf3 creates test [...]
Read the full post at darknet.org.uk

CounterMeasures - Security, Privacy & Trust

A Trend Micro Solutions Architect Blog

Haiti Spam Leads to New Malware

By Mary Bagtas (Anti-spam Research Engineer) on Spam

As rescue efforts continue in Haiti, the world waits with bated breath for more good news about survivors. Unfortunately, while most people are thinking of ways to help victims, cybercriminals are using the tragedy to further their own malicious causes. Blackhat search engine optimization (SEO) poisoning attacks related to this tragedy have already led to [...]

Post from: TrendLabs | Malware Blog - by Trend Micro

FAKEAV Gets First Dibs in Profits from Apple iPad

By Carolyn Guevarra (Technical Communications) on Security

Even before the first user could buy the latest and upcoming Apple technology, the iPad, cybercriminals are already making profit from its popularity. Trend Micro threat engineers today found some malicious search results while looking for information related to the announcement of the Apple tablet. These poisoned search results turned out to be related to the never-ending [...]

Post from: TrendLabs | Malware Blog - by Trend Micro

Hackers Exploit Actor Johnny Depp’s Death Hoax

By Danielle Veluz (Technical Communications) on Security

News involving celebrity deaths (real or hoax) have a habit of spreading across the Internet like wildfire, sensationalizing bits of information to entice readers. So, it is easy to see why pranksters and cybercriminals exploit the fact that people love gossip. So when rumors of Johnny Depp’s supposed death due to a car crash broke out, [...]

Post from: TrendLabs | Malware Blog - by Trend Micro

Where in the World Is DOWNAD/Conficker?

By Ria Rivera (Technical Communications) on Security

It has been a year since WORM_DOWNAD.AD (aka “Conficker”) began a trail of system infections around the world. Since then, Trend Micro has detected new variants, including WORM_DOWNAD.KK, which proved to be an upgraded version that enabled the worm to increase the number of domains it generated from 250 to 50,000. In recent months, things have [...]

Post from: TrendLabs | Malware Blog - by Trend Micro

Phishers Target AOL IM Users

By Fatima Bancod (Fraud Analyst) on Spam

Trend Micro fraud analysts were recently alerted to the discovery of a new phishing campaign that specifically targets AOL Instant Messenger (AIM) users. The spammed message purports to be from AIM and urges recipients to download and execute the latest AIM version to reactivate their currently inactive accounts. This becomes a problem if the receivers actually have AIM [...]

Post from: TrendLabs | Malware Blog - by Trend Micro

Searches for Free Printable Items Lead to Malicious Domains

By JM Hipolito (Technical Communications) on News

Trend Micro threat analysts from EMEA have found a blackhat search engine optimization (SEO) attack that uses strings with the phrase “free printable” to hijack search traffic by directing it to a rogue search engine. Our researchers found that search engine queries using the string “free printable” yield results that include compromised websites (see Figure 1). [...]

Post from: TrendLabs | Malware Blog - by Trend Micro

CNET News - Security

Web searches for iPad leading to malicous sites

By Larry Magid

Security companies are warning people to be careful about scams involving e-mail or Web search for the Apple iPad or any other popular topic.

Originally posted at Safe and Secure

Congressional sites defaced after Obama speech

By Elinor Mills

Third-party vendor manages 49 House of Representative Web sites that were hacked following president's address, and 18 that were defaced last year, report says.

Originally posted at InSecurity Complex

Expert sees security issues with the iPad

By Elinor Mills

Security expert says things like strong encryption and an access control feature are missing from Apple's new iPad tablet device.

Originally posted at InSecurity Complex

It's been 10 years: Why won't people pay for privacy?

By Declan McCullagh

On Data Privacy Day and well into the Internet era, a look at a decade of failed business models that had hoped to make billions protecting customers' personal information.

Originally posted at News - Politics and Law

Report shows cyberattacks rampant; execs concerned

By Elinor Mills

Critical infrastructure networks are vulnerable to repeated, expensive attacks from adversaries and U.S. and China are seen as top potential aggressors, survey finds.

Originally posted at InSecurity Complex

Security researchers knock 'Verified by Visa'

By Tom Espiner

Credit-card authentication system teaches online shoppers risky habits because it doesn't display visual markers, such as a color-coded browser bar or "https," researchers say.

Police set up Olympics e-crime teams

By Tom Espiner

Two teams in London will deal with crimes such as attempted hacks on computer systems and fraudulent ticketing Web sites.

Report unearths targeted attacks on oil firms

By Elinor Mills

The Christian Science Monitor reports there is a China link in one of the attacks on three oil firms in 2008 that involved e-mails containing hyperlinks to spyware.

Originally posted at InSecurity Complex

Report: Attackers sent Google workers IMs from 'friends'

By Elinor Mills

Attackers used social networks to research friends of employees with access to data and then posed as those friends, sending workers links to malware in instant messages, according to the Financial Times.

Originally posted at InSecurity Complex

Report: Companies unprepared for cybercrime

By Elinor Mills

Hackers rated biggest threat by respondents, but nation-states and organized crime should not be disregarded, Deloitte study says.

Originally posted at InSecurity Complex

 

CGISecurity - Website and Application Security News

All things related to website, database, SDL, and application security since 2000.

WASC RSA Meet-Up 2010!

By Robert A. on WASC

The Web Application Security Consortium (WASC) is having an official meetup in San Francisco during the RSA conference.If you like to get free food/drinks, shoot pool, and chat appsec with many of the leading researchers in the appsec world this is your chance. WASC RSA 2010 Meet-up Wednesday, March 3, 2010 Lunch...

 

 

 

********************************************************************************************** CONFIDENTIALITY NOTICE: The information contained in this email is intended only for the person or entity to which it is addressed and may contain confidential and/or privileged material. If you are not the intended recipient, you are hereby notified that any unauthorized review, use, dissemination, distribution or copying of this communication is prohibited and may be subject to legal restriction or sanction. If you have received this email in error, please notify the sender immediately to arrange for return or destruction of the information and all copies. If you are the intended recipient but do not wish to receive communications through this medium, please advise the sender immediately. Thank you **********************************************************************************************

No comments:

Post a Comment

My Blog List