Security Fix
Main
Security
MalwareMSNBC Security
Security Fix
Security World News
Random Feeds
Archives
| Oct 2008 | Sep 2008 | Aug 2008 | Jul 2008 | Jun 2008 | May 2008 | Apr 2008 | Mar 2008 |Wed, 30 Apr 08
More Trouble With Ads on ISPs' Error Pages
http://blog.washingtonpost.com/securityfix/2008/04/more_trouble_with_ads_on
_isps.html?nav=rss_blog
Last week, Security Fix examined new research suggesting that some major Internet service providers are exposing their customers to security flaws when they redirect wayward Web surfers to ad-filled pages. I'm revisiting this controversial practice because another major provider of these services (for one of the nation's largest ISPs) was found to be similarly vulnerable. As noted here last week, Earthlink and a few other ISPs are using a service from a U.K. company called BareFruit, which helps ISPs redirect users to ad-filled pages when they either request a Web site that does not exist or when they mistype a real domain, e.g., ww.example.com (notice the missing "w"). Researcher Dan Kaminsky found that BareFruit's servers contained a security flaw that would have made it easy for hackers and scammers to trick the ISP's customers into visiting phishing sites or downloading malicious software. Kaminsky presented evidence that Verizon was among the
Wed, 30 Apr 08
Microsoft Delays Windows XP Service Pack 3
http://blog.washingtonpost.com/securityfix/2008/04/microsoft_delays_windows
_xp_se.html?nav=rss_blog
Microsoft is delaying the release of Service Pack 3 for Windows XP users due to a "compatibility issue" with the bundle of updates and a supply-chain solution the company markets to small- and medium-sized businesses. The software giant had previously said SP3 would be released to XP customers today via Windows Update and its software download center. In a written statement, Microsoft said: "In order to make sure customers have the best possible experience we have decided to delay releasing Windows XP SP3 to Windows Update and Microsoft Download Center. "To help protect our customers, we plan to put filtering in place shortly to prevent Windows Update from offering both service packs to systems running Microsoft Dynamics RMS. Once filtering is in place, we expect to release Windows XP SP3 to Windows Update and Download Center." Security Fix will post another update when Microsoft makes Service Pack 3 available for
Tue, 29 Apr 08
A Case of Network Identity Theft?
http://blog.washingtonpost.com/securityfix/2008/04/a_case_of_network_identi
ty_the_1.html?nav=rss_blog
Digital real estate leased to one of the Internet's oldest landholders appears to have been quietly seized by e-mail marketers closely associated with an individual once tagged by anti-spam groups as one of the world's most notorious spammers. What's remarkable about this case study is that it pits a vocal spammer against the American Registry for Internet Numbers, which has yet to take action. ARIN is one of five regional Internet registries worldwide that is responsible for allocating IP addresses (ARIN handles this process for the United States, Canada and 22 Caribbean countries). The real estate in question is Internet address space long ago issued to San Francisco Bay Packet Radio, an organization that was involved way back in the 1970s in testing ARPANET, a predecessor to the global commercial Internet that we all use today. That organization was given the rights to do whatever it wanted with any numeric
Tue, 29 Apr 08
Do You Foxit? Then Patch It!
http://blog.washingtonpost.com/securityfix/2008/04/use_foxit_patch_it.html?
nav=rss_blog
The makers of Foxit Reader -- a free alternative application to Adobe's software for viewing portable document format (PDF) files -- has issued an update that plugs several security holes. Hats off to Foxit Software, which turned around a patched version of its program about 24 hours after a security researcher published information about the vulnerabilities. The latest build, available from this link, brings the current, patched version to 2.3 Build 2825. The "what's new?" page describing the new features in Foxit 2.3 is largely devoid of any information about security updates. But a post to the Foxit user forum indicates the security flaws disclosed last week have indeed been addressed in this latest version.
Sat, 26 Apr 08
Hundreds of Thousands of Microsoft Web Servers Hacked
http://blog.washingtonpost.com/securityfix/2008/04/hundreds_of_thousands_of
_micro_1.html?nav=rss_blog
Hundreds of thousands of Web sites - including several at the United Nations and in the U.K. government -- have been hacked recently and seeded with code that tries to exploit security flaws in Microsoft Windows to install malicious software on visitors' machines. The attackers appear to be breaking into the sites with the help of a security vulnerability in Microsoft's Internet Information Services (IIS) Web servers. In an alert issued last week, Microsoft said it was investigating reports of an unpatched flaw in IIS servers, but at the time it noted that it wasn't aware of anyone trying to exploit that particular weakness. On Thursday, Spanish anti-virus vendor Panda Security said that it had alerted Microsoft that a flaw IIS was the cause of all the break-ins. When I asked Microsoft whether they'd heard from Panda or if the hundreds of thousands of sites were hacked from a patched
Thu, 24 Apr 08
Hannaford's Breach Tests Limits of Security Controls
http://blog.washingtonpost.com/securityfix/2008/04/hannaford.html?nav=rss_b
log
Supermarket chain Hannaford Bros. is spending millions of dollars to upgrade its security in a bid to close the holes that allowed thieves to steal up to 4.2 million credit and debit card numbers from store networks. The remarkable thing about this case is not that the company was hacked, despite being certified as compliant with the security rules laid out by the payment card industry, but that so few retailers and businesses who accept card data even reach the level of security Hannaford had in place prior to its breach. In a conference call with reporters Monday, Hannaford chief information officer Bill Homa said the company planned to spend millions of dollars putting "military- and industrial-strength" security controls in place at its corporate and store networks. To that end, Homa said Hannaford is installing new intrusion-prevention systems to monitor the company's various networks, and that it is in the
Thu, 24 Apr 08
Badware Threat Changes Apple's Tune on Safari
http://blog.washingtonpost.com/securityfix/2008/04/badware_threat_changes_a
pples_1.html?nav=rss_blog
In response to mounting criticism from security and privacy experts, Apple has changed the way its Software Update program pushes out the Safari Web browser to Windows users. But the changes may not go far enough for many people because the browser is still being disguised as a security update. A screenshot of how the the old updater offered Safari. Cupertino has long used the The Apple Software Updates to deploy iTunes and QuickTime patches to Windows users. Not long ago, however, Apple also began offering Safari in the same window. This ignited a firestorm of protest from users and bloggers. Even tech policy groups jumped into the fray: Stopbadware.org -- an organization that includes tech thought leaders from Harvard, Oxford as well as sponsors like Google and Sun Microsystems - threatened last week to slap a "badware" label on Apple's updater. Stopbadware noted that not only was the practice
Wed, 23 Apr 08
Obama Site Visitors Redirected to Clinton Campaign
http://blog.washingtonpost.com/securityfix/2008/04/obama_site_visitors_redi
rected.html?nav=rss_blog
On the eve of the presidential primary in Pennsylvania, an online prankster leveraged a security vulnerability on Sen. Barack Obama's campaign Web site to redirect visitors to Sen. Hillary Rodham Clinton's campaign site. According to Symantec, someone embedded computer code into a posting on the Obama blog. The content in this case targeted a cross-site scripting flaw (XSS), an exceedingly common type of vulnerability that can be used to automatically redirect Web browsers viewing the affected page to another site. The redirect was posted shortly after the Obama site was listed at xssed.com, a collaborative online archive of cross-site scripting vulnerabilities present in thousands of Web sites. While the episode appears to have been little more than a prank, the Web site flaw could have been used for more nefarious purposes, such as silently installing malicious software from third-party sites or popping up a fake campaign contribution page to steal
Wed, 23 Apr 08
A Shifting Definition of 'Severity'
http://blog.washingtonpost.com/securityfix/2008/04/patch_now_or_later_1.htm
l?nav=rss_blog
Microsoft this week issued a study that examines the malicious software threat to Windows computers ... a report clearly written from the software giant's vantage point. While the report includes some interesting stats about which malware samples were most prevalent on customer machines last year, the most meaningful section of the report focuses on a new development that may force Microsoft to redefine its approach to security. Microsoft said the number of security bulletins it released in 2007 was 11.5 percent lower than in 2006, and that the number of vulnerabilities covered by those bulletins was 29.6 percent lower than the number covered by the 2006 bulletin (the term "bulletin" is a bit of an artificial construction that does not equate to the total number of vulnerabilities, because Microsoft's "bulletins" often fix multiple security flaws). If Microsoft issued fewer patches last year, attackers hardly noticed. In 2007, instructions for exploiting
Tue, 22 Apr 08
Java Update Released
http://blog.washingtonpost.com/securityfix/2008/04/java_update_released.htm
l?nav=rss_blog
Sun Microsystems issued another update to fix security and stability problems with its Java software, but few users are likely to have noticed, as Sun currently isn't doing anything to alert people. Java's updater errantly says my Java 6 Update 5 is the latest. The latest update to version of Java most Microsoft Windows users have on their machines -- Java Runtime Environment (JRE, also called simply "Java Update" in the Windows Add/Remove programs list) -- is JRE 6 Update 6. However, both of the methods I normally use to tell whether I'm running the latest, patched version failed to tell me that there was a new version of Java available. Update 6 plugs at least one security vulnerability, along with at least a dozen other bugs. Sun's Java page isn't much help either. I've found that the Java updater that ships with the software typically takes anywhere from two
Sun, 20 Apr 08
When Monetizing ISP Traffic Goes Horribly Wrong
http://blog.washingtonpost.com/securityfix/2008/04/when_monetizing_isp_traf
fic_go.html?nav=rss_blog
In seeking to further monetize Web site traffic on their networks, a number of major Internet service providers may be inadvertently exposing their customers to a greater risk of online attack from identity thieves, according to research released today. Many ISPs have already adopted the controversial practice of serving advertisements when a customer tries to browse to a Web site that does not exist. But a growing number of providers also are serving ad-filled pages when customers request a subdomain of a Web site that does not exist, such as something.example.com. This practice, which experts say potentially introduces new copyright violation claims, also potentially introduces security threats when ISPs outsource the ad-serving process to third parties. The findings come from Dan Kaminksy and Jason Larsen, security researchers from IOActive, a security company based in Seattle, the site of the Toorcon hacker conference where the two are expected to unveil their
Fri, 18 Apr 08
Windows Vista Service Pack 1: Not for the Impatient
http://blog.washingtonpost.com/securityfix/2008/04/windows_vista_service_pa
ck_1_n_1.html?nav=rss_blog
Microsoft has released a bundle of security and stability updates for Windows Vista users. What follows is a long-overdue primer on this package of goodies from Redmond known as Service Pack 1. While some peoples' experience with Service Pack 2 for Windows XP may have left them feeling wary about installing this package, I haven't heard about SP1 causing any major problems for Vista users. Most Vista systems probably will be better off -- security- and stability-wise -- with this rollup than without it, for the reasons I describe below. One reason I haven't heard of any problems with SP1 may be that few people have yet to install it. Following all of Microsoft's instructions for prepping a system to receive SP1 can be extremely time-consuming, and even more so for a subset of Vista users who have certain incompatible hardware drivers installed on their systems. As a result, it's
Fri, 18 Apr 08
Security Updates for Firefox, Safari
http://blog.washingtonpost.com/securityfix/2008/04/security_updates_for_fir
efox_s_1.html?nav=rss_blog
Both Apple and Mozilla issued updates late Wednesday to plug security holes in their Web browser software. The Mozilla update fixes a single critical vulnerability with the way Firefox handles "Javascript garbage collection." Mozilla says this update was issued "primarily to address stability concerns. We have no demonstration that this particular crash is exploitable but are issuing this advisory because some crashes of this type have been shown to be exploitable in the past." Mozilla does note, however, that its Thunderbird e-mail client shares the browser engine with Firefox and could be vulnerable if JavaScript were to be enabled in mail. "This is not the default setting and we strongly discourage users from running JavaScript in mail," Mozilla warned. Apple's patches fix at least four separate flaws in Safari. All four are present in the Windows version of Safari, while the version designed for Macs contain just two of the
Thu, 17 Apr 08
Identity Theft Smash & Grab, CEO Style
http://blog.washingtonpost.com/securityfix/2008/04/identity_theft_smash_gra
b_ceo.html?nav=rss_blog
Tens of thousands of corporate executives were the target of a series of identity-theft scams this week, e-mail-borne schemes that appear to have netted close to 2,000 victims so far. Early Monday morning, according to two security experts with firsthand knowledge of the attacks, nearly 20,000 executives received an e-mail purporting to be a subpoena ordering each recipient to appear in court for legal violations leveled against their company. The messages addressed each executive by name, and included their phone number and the name of their company. Recipients who clicked the link were brought to a Web page that claimed they needed to install a Web browser add-on in order to view the subpoena. Those who agreed were shown an Adobe PDF document that referenced a lawsuit filed in a California district court. The "add-on" in question was a component designed to steal usernames and passwords when the victim subsequently
Thu, 17 Apr 08
Online Security: A Closer Look at a Negative Example
http://blog.washingtonpost.com/securityfix/2008/04/dailing_for_phone_call_r
ecords.html?nav=rss_blog
It may be easier than you think for someone to steal your wireless phone records. At least, that's the case if you're a Sprint wireless phone user. Sprint makes it very easy for customers to go online to view and manage their accounts and account activity. Signing up to take advantage of that service is simple. It may be too simple. I first read about this on Monday at The Consumerist, a blog that covers consumer gripes. As The Consumerist describes, anyone can visit the Sprint homepage and sign up as a new user. You simply enter the Sprint phone number of the account you want to register, enter the owner's first and last name, an e-mail address, and then pick a username and password. While the signup process may check to see if the first and last name matches the account on file for that number, a user can
Tue, 15 Apr 08
Security Fix Pop Quiz, Spring 2008 Edition
http://blog.washingtonpost.com/securityfix/2008/04/security_fix_pop_quiz_sp
ring_2.html?nav=rss_blog
Have you been keeping up to date with the latest security patches? Examine the list below to see how you've done. If you're not sure which version of a program you're running, you can usually tell by selecting "Help" and then "About [software name]" from the program menu. Adobe Flash, version 9.0.124.0, released April 8. Adobe Reader, version 8.1.2, released Feb. 7. Apple/Mac OS X, Security Update 2008-002, released March 18. Microsoft Windows: April Patches Mozilla Firefox, version 2.0.0.13, released March 25. Opera, version 9.27, released April 3. QuickTime, version 7.4.5, released April 2. Skype, version 3.6.0.248, released February 5. Sun Java JRE, Version 6 Update 5, released March 4. VideoLAN VLC Player (free alternative to RealPlayer), version 0.8.6, released April 2. Winamp, version 5.53, released Feb. 14. WinRAR (file zip/unzip shareware utility), version 3.71, released Nov. 2007 Alternatively, you could head over Secunia's site and scan your system with
Sat, 12 Apr 08
Time to Patch Your Flash
http://blog.washingtonpost.com/securityfix/2008/04/time_to_patch_your_flash
.html?nav=rss_blog
Adobe has issued an update to patch several security holes in its Flash player. Most people will have some version of Flash installed on their computers, so it's a good idea to take a moment and make sure your system receives this update. Updates are available for Flash on Windows, Mac OS X, Linux and Solaris systems. The new version is 9.0.124.0. The Flash installer should remove any older versions on your system before installing the newest one, so there's no need to manually uninstall your existing Flash installation before updating. The installer should also update the Flash plug-in for multiple browsers, including Internet Explorer, Firefox and Opera, all in one go. But it's still a good idea after updating to visit this link to Adobe's About Flash page -- with each of the browsers you use -- to make sure its Flash install has been updated. If for some
Fri, 11 Apr 08
Spammers Using Google, Outlook Calendars to Get Your Attention
http://blog.washingtonpost.com/securityfix/2008/04/spammers_scheduling_goog
le_out.html?nav=rss_blog
Spammers are starting to use the meeting invite features of both Google Calendar and Microsoft Outlook to send messages advertising the latest designer watches and prescription drugs. This week, Security Fix heard from a reader who said he had received an e-mail with an Outlook meeting invitation attached. Suitably wary of the spammy invite, he closed out the e-mail and ignored it. But when he opened up his Outlook calendar a few minutes later, he was horrified to find the spam "meeting" was scheduled anyway. How would you like an Outlook calendar full of this? (Screenshot created by Brian Krebs an example of what calendar spam looks like) After Googling a bit on the subject, I found that spammers have recently been doing the same thing to Google Calendar users. Everyone gets spam, but for obvious reasons having unauthorized meetings sent by a spammer show up on your calendar is
Thu, 10 Apr 08
Online Banking: Do You Know Your Rights?
http://blog.washingtonpost.com/securityfix/2008/04/online_banking_do_you_kn
ow_you_1.html?nav=rss_blog
The financial industry in the United Kingdom recently reaffirmed a policy that holds online banking customers liable for losses if they fail to secure their personal computers against data-stealing computer viruses. While this policy may seem surprising or even draconian to some Americans, the reality is that most U.S. consumers remain woefully uninformed as to their own security liabilities when banking online. News of the new U.K. banking codes comes via The Register, which reported that under the new regulations "banks will not be responsible for losses on online bank accounts if consumers do not have up-to-date anti-virus, anti-spyware and firewall software installed on their machines." The full text of the updated banking code is here (PDF). The relevant sections are 12.5 through 12.13. This touches on a question Security Fix receives quite often from readers: "If my computer gets hacked and someone uses it to steal money from my
Thu, 10 Apr 08
Get Paid to Find 'Back Doors'
http://blog.washingtonpost.com/securityfix/2008/04/get_paid_to_find_softwar
e_hard_1.html?nav=rss_blog
A security research and training group is offering up to $20,000 in grants to anyone with computer programming chops who can help locate and close hidden "back doors" in commercial hardware and software. According to the Bethesda, Md.-based SANS Institute -- the group offering the grants, hundreds of millions of devices -- from printers to Internet routers and storage systems -- are being placed on networks with built-in back doors. Software and hardware makers have for years quietly built these remote administration tools into their products, mainly to help customers troubleshoot the devices. In some cases, the back doors are documented by the vendor or known to technicians and security experts. But Alan Paller, director of research at SANS, said in far too many cases these back doors are never disclosed or are included and forgotten, only to be discovered later and exploited by hackers. "The manufacturers of these systems
Wed, 9 Apr 08
Microsoft Fixes 10 Security Vulnerabilities
http://blog.washingtonpost.com/securityfix/2008/04/microsoft_updates_fix_10
_secur.html?nav=rss_blog
Microsoft today issued software updates to plug at least 10 security holes in its Windows operating systems and other software. More than half of the vulnerabilities fixed by these patches earned the company's most dire "critical" rating, and several of them are located in areas of Windows that attackers have shown an affinity for exploiting in the past. Among the more serious security holes fixed today is one present in a component of Windows (GDI) used to process certain types of images. This is the type of vulnerability that could be exploited to install software on a vulnerable system just by convincing the user to visit a malicious Web site. Indeed, attackers targeted a very similar vulnerability back in 2005 to compromise massive numbers of Windows computers with password-stealing programs when unsuspecting users visited one of thousands of hacked Web sites. Security vendor Symantec says there is a good chance
Wed, 9 Apr 08
Kraken Spawns a Clash of the Titans
http://blog.washingtonpost.com/securityfix/2008/04/kraken_creates_a_clash_o
f_the.html?nav=rss_blog
Most of my waking hours on Monday were spent fielding indignant queries from sources in the anti-virus industry who were wondering what I knew about reports of a new family of malicious software that allegedly had managed to infect more than 400,000 computers worldwide seemingly overnight with computer code that hijacked each machine for use in blasting out spam e-mails. What I discovered says as much about the steady-as-she-goes state of the anti-virus industry as it does the lengths to which an upstart security company will go to upset the apple cart that defines the mainstream computer security marketplace today. At issue was news that Atlanta-based security firm Damballa's had discovered that hackers had infected more than 400,000 Windows PCs with malicious software that forces them to relay junk e-mail. The story noted that this particular contagion had heretofore gone undetected by 80 percent of the commercial anti-virus tools on
Tue, 8 Apr 08
Social Networking Accounts Prized By Cybercrooks
http://blog.washingtonpost.com/securityfix/2008/04/social_networking_accoun
ts_pri.html?nav=rss_blog
Cyber criminals increasingly are moving away from trying to break into computers directly, choosing instead to target Internet users where they spend much of their time online -- at social networking Web sites, new data suggests. In an analysis of cyber crime activity in the 2nd half of 2007, security vendor Symantec Corp. found that two social networking sites together were the target of 91 percent of U.S.-based phishing Web sites. Social networking sites also were the leading targets of phishing sites located in four other countries listed by Symantec in its phishing Top 10. Source: Symantec Corp. Hijacked social networking pages often are used to host malicious software or "malware" directly or to host links phishing or malware sites that are then advertised in messages sent to all of the contacts in the victim's social network. Why on earth would hackers want to bother stealing user names and passwords
Tue, 8 Apr 08
RedBox Warns of Credit Card Skimmers
http://blog.washingtonpost.com/securityfix/2008/04/redbox_warns_of_credit_c
ard_sk.html?nav=rss_blog
DVD-rental vending machine maker RedBox today warned customers to be on the lookout for any unusual activity or physical changes to local RedBox kiosks, after the company discovered evidence that criminals had retrofitted at least three of the machines with devices to steal credit-card information. An example of a RedBox machine with an illegal credit card skimmer attached. The company said several RedBox machines had been fitted with "skimmers" -- magnetic stripe reading and storage devices that can be installed over the top of existing card readers. RedBox said it found an illegal skimming device attached to one machine in Tempe, Ariz., and that it had discovered evidence of skimming at two other locations in Las Cruces, N.M. In a notice posted on its Web site, Redbox said is not aware of any fraudulent activity or transactions using its customers' accounts, and that it is working to minimize the risk
Tue, 8 Apr 08
Opera Updates and a Black Tuesday Preview
http://blog.washingtonpost.com/securityfix/2008/04/opera_updates_and_a_blac
k_tues_1.html?nav=rss_blog
Opera this week released a new version of the Web browser to correct at least two remotely exploitable security vulnerabilities. Separately, Microsoft said it plans to release eight updates on Tuesday as part of its regular monthly patch cycle. The latest version of Opera -- 9.27 -- is available at this link. More details on the vulnerabilities fixed are here and here. Microsoft said it most likely release eight updates, five of which will carry its most serious "critical" rating, meaning the vulnerabilities they fix can be exploited by attackers remotely with little or no help from the victim. As Microsoft's individual updates often fixes multiple security holes, we could be talking about a large number of flaws patched tomorrow.
Mon, 7 Apr 08
Beware Targeted Data-Stealing Tax Scam
http://blog.washingtonpost.com/securityfix/2008/04/beware_targeted_datastea
ling_t.html?nav=rss_blog
A fresh round of targeted e-mail attacks is underway, arriving in messages that personally address both the recipient and his or her employer. One pretends to be sent from the IRS requesting more information about company tax filings. Another set of targeted e-mails purport to be sent from Microsoft, urging recipients to download and install a new security update. Both try to trick the user into installing software that steals personal and financial data from the victim's PC. The messages spoofing the IRS are very convincing (you can see a copy of one sent to one of the corporate finance officer for Sunbelt Software at this link here). The attached file, a screensaver file made to look like an Adobe PDF file named "tax_refund_file.scr", when clicked, silently downloads malware and pops up a seemingly random PDF document as a diversion. The Microsoft attack arrives in an e-mail with the subject
Mon, 7 Apr 08
Consumers Report $239 Million Lost To Cyber Fraud In '07
http://blog.washingtonpost.com/securityfix/2008/04/consumers_report_239_mil
lion_l.html?nav=rss_blog
U.S. consumers reported losing more than $239 million from online fraud last year, up from $198 million in 2006, according to data released today by the FBI. Internet auction fraud (35.7 percent) and merchandise non-delivery (24.9 percent) were the most frequently reported types of cyber fraud. The median loss amount per fraud incident last year was approximately $680, the report said. The most costly scams involved investment fraud, which cost consumers about $3,500 per incident -- and check fraud ($3,000). In nearly 74 percent of the cases, the perpetrators contacted the victim via e-mail. The full report is available here (PDF). The FBI cautions, however, that some fraud reports may have been misclassified by victims. For example, it works closely with auction giant eBay, which routinely refers fraud victims to the FBI's Internet Crime Complaint Center (IC3), the organization that published these figures. The report notes that many consumers referred
Fri, 4 Apr 08
Reach Out And Hack Someone
http://blog.washingtonpost.com/securityfix/2008/04/reach_out_and_hack_someo
ne.html?nav=rss_blog
Gone are the days when telephones were dumb appliances that you simply plugged into the wall and forgot: Security researchers from one Internet security firm have located more than 100 vulnerabilities in hardware and software that powers the Internet-based phones used by many large companies today. Turns out, many of these same vulnerabilities may also be present in the complex, distributed networks that control your local power grid, or ensure the distribution of your drinking water. But more on that in a bit. Ottawa-based VoIPshield Systems, a company that makes products to help secure voice-over-IP (VoIP) networks, said it located more than 100 security holes in Internet-based phones made by the biggest players in the business, including Avaya, Cisco and Nortel. The company currently displays information on 44 of the vulnerabilities on its Web site, and it says many of the flaws are medium- to high-risk, meaning they could be
Fri, 4 Apr 08
Secret Service Agent To Lead DHS Cyber Division
http://blog.washingtonpost.com/securityfix/2008/04/secret_service_agent_to_
lead_d.html?nav=rss_blog
A cybercrime investigator at the U.S. Secret Service has been named to head the Department of Homeland Security's National Cyber Security Division, Security Fix has learned. Cornelius F. Tate, a graduate of University of Mississippi, currently heads up the Technical Security Division at Secret Service. Tate also is a member of the Electronic Crimes Special Agent Program, a Secret Service team made up of agents who conduct forensic analysis of computer systems. DHS established the NCSD to serve as a 24/7 watch center to share information between the private sector and the government about the latest cyber attacks. According to a "welcome aboard" e-mail sent to NCSD employees today, Tate "was actively involved in email and Internet traces regarding threats against the WhiteHouse.gov network. He has also served as the Secret Service's Chief Information Officer and with the CERT/Coordination Center team at Carnegie Mellon University." The message says Tate's oversight
Fri, 4 Apr 08
Apple Issues QuickTime Update for Mac, Windows
http://blog.washingtonpost.com/securityfix/2008/04/apple_issues_quicktime_u
pdate_1.html?nav=rss_blog
Apple on Wednesday pushed out an update to its QuickTime media player software, fixing at least 11 security vulnerabilities in the software for both Mac and Windows systems. Mac users can get the latest version through Software Update. Windows QuickTime users will need to use the bundled Apple Software Update application. Apple likes to bundle QuickTime with iTunes, but plenty of Windows users want to keep their QuickTime installs up-to-date without installing iTunes. I used to know of a fairly reliable link from which people could download a QuickTime-only standalone installer, but that link seems to have disappeared. If anyone can locate the official link for the standalone installer, I will update this post with that information. QuickTime vulnerabilities are dangerous because exploiting them can be as simple for an attacker as tricking someone into clicking on a malicious video link. As I noted in my roundup of Apple patches
Thu, 3 Apr 08
8.3 Million Records Spilled in Data Breaches This Year
http://blog.washingtonpost.com/securityfix/2008/04/83_million_records_spill
ed_in.html?nav=rss_blog
At least 8.3 million personal and financial records of consumers were potentially compromised by data spills or breaches at businesses, universities and government agencies in the first quarter of 2008, according to statistics released today. The San Diego based Identity Theft Resource Center said it tracked public reports of 167 data breaches in the first three months of this year. The center recorded 448 data breaches total in 2007. A detailed breakdown of the incidents in 1Q of 2008 is available here (PDF) and the overall 2007 statistics can be downloaded here (PDF). Roughly 4.2 million of the breached records were the result of digital intrusions at the Hannaford Bros. supermarket chain disclosed last month. Overall, businesses were responsible for roughly 36 percent of the data breaches or spills, followed by schools and universities (25 percent), government and military (18 percent), medical/health care (14 percent) and banking and financial (7
Wed, 2 Apr 08
April Fool's Day Warning, And Some Fun
http://blog.washingtonpost.com/securityfix/2008/04/april_fools_day_warning_
and_so.html?nav=rss_blog
This post has been updated. Please read through to the end. Original post: The cyber criminal(s) behind the Storm worm want to make an April Fool out of you today. The Storm worm author(s) likes to use holidays and other notable calendar occasions to launch new attacks. True to form, new versions of the Storm worm were blasted out yesterday as links in an e-mail that included a taunting image of an idiot in a fool's costume wearing a "kick me" sign. Anyone foolish enough to follow the embedded directions telling recipients to "click here, if your download doesn't start in 5 seconds," will hand their PC over to the bad guys. Image F-Secure.com The security news on this first day of April isn't all hackers and viruses. In fact, you'd do well not to take anything you read online today too seriously. Below are a few of the more
Wed, 2 Apr 08
Cyber Attacks on the Campaign Trail
http://blog.washingtonpost.com/securityfix/2008/03/sen_mccain_takes_on_russ
ian_cy.html?nav=rss_blog
It is rare for the key topics typically covered in this blog -- cybercrime and computer security -- to be wielded as talking points by a major presidential candidate. But in a foreign policy speech last week, presumptive Republican Party presidential nominee John McCain cited cyber attacks from Russia as a reason for strengthening NATO and for excluding Russia from the Group of Eight. The reference to cyber attacks came in remarks McCain made at the Los Angeles World Affairs Council, wherein he argued that the future of the transatlantic relationship lies in confronting the challenges of the 21st century worldwide, such as "developing a common energy policy, creating a transatlantic common market tying our economies more closely together, addressing the dangers posed by a revanchist Russia, and institutionalizing our cooperation on issues such as climate change, foreign assistance, and democracy promotion." McCain continued: "We should start by ensuring that
Wed, 2 Apr 08
Happy 3rd Birthday To Security Fix
http://blog.washingtonpost.com/securityfix/2008/03/happy_3rd_birthday_to_se
curity.html?nav=rss_blog
Security Fix turned three years old this weekend. Since March 2005, this blog has featured roughly 900 entries and attracted more than 14,000 comments. I have enjoyed watching the Security Fix community grow, and owe a big shout of "Thanks!" to all those who've contributed to the discussions here (my gratitude does not extend to the incessant blog spammers). That said, we are constantly seeking new ways to make what we cover more relevant to our readers. So, please drop me a line or add a comment below if there is an area of security news or advice you think deserves more or less digital ink.