Security Fix
Main
Security
MalwareMSNBC Security
Security Fix
Security World News
Random Feeds
Archives
| Oct 2008 | Sep 2008 | Aug 2008 | Jul 2008 | Jun 2008 | May 2008 | Apr 2008 | Mar 2008 |Sat, 31 May 08
New Trillian IM Software Fixes Three Security Holes
http://blog.washingtonpost.com/securityfix/2008/05/new_trillian_im_software
_fixes_1.html?nav=rss_blog
Trillian, a popular all-in-one instant messaging suite that handles AOL IM, Yahoo, MSN and even Internet relay chat (IRC) communications, has issued an update that corrects at least three very serious security flaws in the program. The vulnerabilities, found in both the Pro and Basic (free) versions of Trillian, earned a "highly critical" rating from vulnerability watcher Secunia. Trillian users should update to version 3.1.10.0, which patches these flaws.
Thu, 29 May 08
Apple Patches 40 Security Holes
http://blog.washingtonpost.com/securityfix/2008/05/apple_patches_40_securit
y_hole_1.html?nav=rss_blog
Apple on Wednesday released an update to fix at least 40 different security holes in computers powered by its Mac OS X operating system and other software, including a just-in-time update to fix a dangerous vulnerability in the Adobe Flash Player that is being rather heavily exploited at the moment in Microsoft Windows versions of the player. The Flash update brings the Mac version of the Flash Player up to the latest 9.0.124.0 version, which protects users against a proliferating number of sites using vulnerabilities in older Flash versions to install malicious software on exposed computers. While the attackers are so far delivering viral payloads designed exclusively for Microsoft Windows systems, the researcher who discovered the method by which the flaw is being attacked warned that the vulnerability could be similarly exploited on any operating system for which Flash is available, including Mac OS X. At least seven of the
Thu, 29 May 08
Symantec Pledges Less Bloat, More Speed
http://blog.washingtonpost.com/securityfix/2008/05/symantec_pledges_less_bl
oat_mo.html?nav=rss_blog
Every other week, when I host a Security Fix Live chat with our readers, I almost always hear gripes from Symantec users complaining about how various Norton software titles are causing their PCs to operate sluggishly. Well, the folks at Symantec want you to know they are working to improve speed and efficiency in next year's consumer products. The complaints about Norton products that I've heard from readers have been fairly consistent: problems installing/uninstalling the software, and system slowness after installing the software. In a chat on Jan. 25, a reader from Toronto wrote: "I use Norton Anti-virus but am convinced it is causing my computer to operate very slowly. Is there an alternative program that is less resource intensive?" The following month, a chatter from New York complained: "Hi Brian, I've had really bad experiences running Symantec/Norton and McAfee products. They tend to take over and reduce my overall
Thu, 29 May 08
Exploit In-the-Wild: Patch Your Flash Player Now
http://blog.washingtonpost.com/securityfix/2008/05/exploit_inthewild_patch_
your_f.html?nav=rss_blog
If you have not yet applied the patch that Adobe released last month to plug security holes in its Flash Player, do not procrastinate further: Security experts warn that a growing number of Web sites are using Flash vulnerabilities to install password-stealing software when users visit them with unpatched Web browsers. It's not entirely clear whether the attackers are taking advantage of a brand new flaw, or one that Adobe already fixed. Symantec, McAfee, the SANS Internet Storm Center and some independent researchers raised the alarm on Tuesday, indicating that hackers were exploiting a previously undocumented and unpatched flaw in Flash. Further analysis of the sites distributing the malicious code suggests that the attack does not work against the latest version of Flash for either Internet Explorer or Firefox. So, users with the latest version of Flash should be protected from this attack. Symantec's initial writeup clashed with the conclusions
Wed, 28 May 08
Security Fixes in Foxit Update
http://blog.washingtonpost.com/securityfix/2008/05/security_fixes_in_foxit_
update.html?nav=rss_blog
People who use the free Foxit Reader software as an alternative to Adobe for viewing portable document format (PDF) files should take note: Foxit has shipped a new version that plugs a serious security hole in the program. The newest version, available here, brings Foxit to v. 2.3, Build 2923. Not sure which version you're running? Click "Help," and "About Foxit." Researchers at security firm Secunia labeled the vulnerability as "highly critical." The flaw stems from a problem with the way Foxit handles Javascript. I prefer Foxit over Adobe, and here's one good example why: The lack of program bloat. Turns out, most Foxit reader users don't have to worry about this flaw to begin with, because the free Foxit Reader ships without Javascript support by default. Rather, it is available as an add-on that you must manually download and install after installing the base program. By comparison, have a
Sat, 24 May 08
ING Introduces Tool for Safe E-Banking on Infected PCs
http://blog.washingtonpost.com/securityfix/2008/05/ing_tool_provides_safe_e
bankin_1.html?nav=rss_blog
ING Direct, the nation's largest online-only bank, said this week that it was giving away a software tool that would allow customers to bank online safely at ING, even if the user's PC was already infected with data-stealing malicious software. ING made the somewhat bold claim in partnering with an Israeli company named Trusteer, which offers an installable program called Rapport. Trusteer's main invester is a man named Shlomo Kramer, co-founder of Check Point Software, the company that makes and markets the ZoneAlarm firewall products. Kramer is now CEO of Imperva, an application data protection company, which he co-founded with Mickey Boodaei, who is CEO of Trusteer. Boodaei said Rapport creates a "secure pipe" within the user's computer that encapsulates data as it flows to the ING Direct Web site. Boodei said the software works by assuming control over the application programming interfaces or APIs in Windows, the set of
Fri, 23 May 08
New Tax Plan Could Jeopardize Small Business Owners' Privacy
http://blog.washingtonpost.com/securityfix/2008/05/plan_would_require_credi
t_card.html?nav=rss_blog
The Bush administration is proposing a new tax collection program that would force credit card companies to report merchants' income to the Internal Revenue Service. The plan has come under fire from privacy groups, who say it will create another private sector database tied to Social Security numbers at a time when ID theft experts are urging companies to wean themselves from the use and collection of such information. The proposal is spelled out in the White House's FY09 federal budget request for the U.S. Treasury, which the administration says includes some 16 changes to existing tax law designed to collect more than $36 billion in new revenues over 10 years. According to an analysis by the Center for Democracy & Technology, the proposal would require credit card companies to report the aggregate transactions of all businesses that have merchant accounts with the card issuers. The reports to the IRS
Wed, 21 May 08
Govt' Earns 'C' on Computer Security Report Card
http://blog.washingtonpost.com/securityfix/2008/05/govt_earns_grade_of_c_fo
r_comp.html?nav=rss_blog
The federal government earned an overall grade of "C" for securing its computer systems and networks from cyber attack last year, a slight improvement from the "C-minus" mark the government was given in 2006. The report cards were issued today by Rep. Tom Davis of Virginia, the ranking Republican on the House Committee on Oversight and Government Reform. Nine agencies earned failing grades for 2007, including the departments of Agriculture, Commerce, Defense, Interior, Labor, Transportation, Treasury, Veterans Affairs, as well as the Nuclear Regulatory Commission. The grades are based on data submitted by the agencies and agency inspector generals to the White House for fiscal year 2007. Eight agencies earned "A" grades, including the the Department of Justice, the Agency for International Development, Environmental Protection Agency, National Science Foundation, Social Security Administration, Housing and Urban Development, Office of Personnel Management and the General Services Administration. However, the committee noted that
Tue, 20 May 08
Most Spam Sites Tied to a Handful of Registrars
http://blog.washingtonpost.com/securityfix/2008/05/most_spam_sites_tied_to_
a_hand_1.html?nav=rss_blog
New research suggests that more than three quarters of all Web sites advertised through spam are clustered at just 10 domain name registrars. The data comes from millions of junk messages collected over the past year by Knujon ("no junk" spelled backwards and pronounced "new john"), an anti-spam outfit that works by convincing registrars to dismantle spam sites. Knujon's co-founder Garth Bruen said the links in spam messages touting fake pharmacies, knock-off designer products, pirated software and phony lending institutions redirect users to a relatively minuscule subset of sites that are generally under the control of a small number of companies. Bruen focuses most of his energy on calling attention to spam sites that list blatantly false information in their WHOIS records, the global online directory designed to list the contact data for individuals who register Web sites. The Internet Corporation for Assigned Names and Numbers (ICANN), the Marina Del
Fri, 16 May 08
Gov't Secrecy and the Mysterious Cyber Initative
http://blog.washingtonpost.com/securityfix/2008/05/government_secrecy_and_t
he_mys.html?nav=rss_blog
The secrecy surrounding the Bush administration's updated National Cyber Security Initiative -- designed to improve the government's digital defenses and put forth an offensive information warfare doctrine -- is endangering the deterrent value of the project and appears to be aimed chiefly at supporting spying operations abroad, a key U.S. Senate committee concludes in a new report. The Senate Armed Services Committee said a major thrust of the initiative was to inform our adversaries as to the range of potential consequences of a cyber attack on U.S. strategic or national assets. But so far only three of the 18 goals spelled out in the cyber initiative have been discussed publicly; the rest remain classified. "It is difficult to conceive how the United States could promulgate a meaningful deterrence doctrine if every aspect of our capabilities and operational concepts is classified," the committee's report said. "In the era of superpower nuclear
Fri, 16 May 08
Debian and Ubuntu Users: Fix Your Keys
http://blog.washingtonpost.com/securityfix/2008/05/debian_and_ubuntu_users_
fix_yo.html?nav=rss_blog
Online merchants who have used a Debian-based operating system to generate secure sockets layer (SSL) certificates for encrypting customer communications should check to make sure the private key needed to decrypt those transactions isn't already posted on the Web for all to see. Normally, even if an attacker is able to intercept https:// traffic between a commercial Web site and a customer, the bad guy is unable to make sense of it without the private key held by the Web site owner. But new research published this week points to a weakness in Debian's cryptographic process that potentially gives eavesdroppers the tools to quickly discover the key needed to unlock https:// transactions and view the traffic in plain text. Most cryptographic systems work by generating a set of public and private keys, with the trick to generating strong, virtually unbreakable keys being randomness. The process starts with an extremely long
Thu, 15 May 08
Three Charged With Hacking Dave & Buster's Chain
http://blog.washingtonpost.com/securityfix/2008/05/three_charged_with_hacki
ng_dav.html?nav=rss_blog
Three men have been indicted for hacking into a number of cash registers at Dave & Buster's restaurant locations nationwide to steal data from thousands of credit and debit cards, data that was later sold or used to cause more than $600,000 in losses, the Justice Department said this week. The government's 27-count indictment unsealed this week names Maksym "Maksik" Yastremskiy, of Kharkov, Ukraine, and Aleksandr "JonnyHell," Suvorov, of Sillamae, Estonia, with wire fraud conspiracy, wire fraud, conspiracy to possess unauthorized access devices, access device fraud, aggravated identity theft, conspiracy to commit computer fraud, computer fraud and counts of interception of electronic communications. The government also unsealed a complaint against Albert "Segvec" Gonzalez of Miami, who, according to the U.S. Secret Service, was responsible for creating the software used to steal credit and debit card data. The complaint alleges that sometime between April and September of 2007, Yastremskiy and Suvorov
Wed, 14 May 08
Microsoft Patches Six Security Holes
http://blog.washingtonpost.com/securityfix/2008/05/microsoft_patches_six_se
curity_1.html?nav=rss_blog
Microsoft today issued four updates to fix at least six security flaws in its Windows operating system and Office software. The bundle includes a patch for a critical flaw that hackers already are exploiting to break into vulnerable Windows systems. The latest updates are available through Microsoft/Windows Update, or via Automatic Updates. Four of the vulnerabilities fixed in today's roundup earned Microsoft's most dire "critical" label, which means hackers could use them to break into Windows systems with little or no help from the user, save from convincing the user into clicking on a link or opening a file or e-mail. Among the most serious of the critical updates is a fix for a known flaw in Microsoft's Jet Database Engine, a component built into Windows 2000, Windows XP and Windows Server 2003 that provides data access to applications such as Microsoft Access, Microsoft Visual Basic, and many third party
Tue, 13 May 08
Online Sellers: Beware of Fake Check Scams
http://blog.washingtonpost.com/securityfix/2008/05/online_sellers_beware_fa
ke_che.html?nav=rss_blog
If you sell enough stuff online at sites like Craigslist and eBay, eventually you will receive an offer for your wares that far exceeds your asking price. Such offers are often the first stage of a scam in which the fraudster sends a counterfeit check along with some elaborate explanation for offering such a high amount. The scam artist then asks the seller to wire back the difference after the check is deposited. It should surprise no one that the checks always bounce, leaving anyone who falls for the scam liable to their bank for the entire amount. This is not a new scam, but I had never seen one of these fake checks in person until my colleague here at washingtonpost.com - Dan - recently received one of these fairly official-looking checks after advertising an $800 bike frame for sale on Craigslist.com. The outer envelope was hand addressed with
Sat, 10 May 08
Adobe Plugs 8 Security Holes in Reader
http://blog.washingtonpost.com/securityfix/2008/05/adobe_plugs_8_security_h
oles_i.html?nav=rss_blog
This post was updated at 12:20 p.m. to clarify what's new in this Adobe patch. See the update below the original post. Adobe has issued an update to plug at least eight security holes in its PDF Reader software. The latest patch brings the current, patched, version of Adobe to 8.1.2. If you're reading this post on a system that has Adobe Reader installed, please take a moment now to download and apply this update. Cyber crooks have recently added Adobe vulnerabilities to "Neosploit," a tool that automates the exploitation of outdated browser plug-ins when users visit certain malicious or hacked Web sites. As Symantec notes, you don't have to be doing anything risky to get burned by running an outdated copy of Adobe Reader these days. Symantec writes: "If a user is enticed to a hostile Web site (who knows which ones are hostile these days) using the
Fri, 9 May 08
Mozilla Distributes Virus-Infected Language Pack
http://blog.washingtonpost.com/securityfix/2008/05/mozilla_distributes_viru
sinfec_1.html?nav=rss_blog
Anyone who downloaded the Vietnamese language pack for Firefox 2 needs to run an anti-spyware and anti-virus scan, then disable the pack for now. Mozilla warned yesterday that all versions of that language pack downloaded from its servers since Feb. 18, 2008, were infected with pop-up ad serving software. Window Snyder, Mozilla's chief security officer, said the Vietnamese language pack was contaminated as the result of a virus infection. "This usually results in the user seeing unwanted ads, but may be used for more malicious actions." Snyder said Mozilla doesn't know how many people downloaded the compromised language pack, but said there have been 16,667 downloads of the pack since November 2007. Mozilla is working on getting a replacement language pack up on the site soon. Snyder said that while Mozilla does virus scans when add-ons are uploaded to its servers, the scanner for whatever reason didn't catch this nasty
Thu, 8 May 08
Robotraff: A Hacker's Go-To For Clicks
http://blog.washingtonpost.com/securityfix/2008/05/the_click_fraud_stock_ex
change_1.html?nav=rss_blog
Anyone who doubts that Internet click fraud has become a big money maker should take a look at a Russian Web site called Robotraff.com, which bills itself as "the first stock exchange of Web traffic." Set up a free account at Robotraff and you're ready to buy or sell Web traffic. Got 30,000 hacked personal computers under your thumb? Super! Now you can use those systems to generate a steady income just by pointing them at Web sites requested by a buyer. Or maybe you're just getting started and you can't be bothered to build your own army of hacked PCs the old-fashioned way? No problem! Now you can set up a Web site that tries to exploit Web browser or browser plug-in vulnerabilities and simply buy all the traffic you need. So let's have a look at the transactions Robotraff is handling today: User #704 is selling "search mix"
Wed, 7 May 08
Microsoft Releases Windows XP Service Pack 3
http://blog.washingtonpost.com/securityfix/2008/05/microsoft_releases_windo
ws_xp_1.html?nav=rss_blog
Microsoft today finally released Service Pack 3 for Windows XP users. The update should now be offered via both Windows Update or Automatic Updates. The company was expected to release it last week, but pulled the plug at the last minute due to a compatibility problem with an obscure product they offer. Many readers have asked me whether this update is really necessary, given that there isn't a whole lot new in Service Pack 3 aside from all of the security and non-security updates Microsoft has ever released for the operating system. The following are some of the things you should know about installing Service Pack 3 for Windows XP. Microsoft says it is not adding any significant Windows Vista technology into XP with Service Pack 3. No surprise there, given that Microsoft has said Service Pack 3 will be XP's swan song: The company currently plans to stop issuing
Tue, 6 May 08
Tech Groups Back Kaspersky in Fight Against Zango
http://blog.washingtonpost.com/securityfix/2008/05/tech_groups_back_kaspers
ky_in.html?nav=rss_blog
A broad coalition of technology groups today told a federal appeals court to toss out a lawsuit that adware maker Zango is continuing to pursue against computer security vendor Kaspersky Lab, arguing that to do otherwise would harm consumers and the future of the security software market. In May 2007, Bellvue, Wash.-based Zango -- a company that makes software to serve pop-up ads and tracks users' activities on behalf of online marketers -- sued Kaspersky, charging that the company interfered with its business by removing its "adware" without first alerting the user. In August, the judge assigned to the case dismissed Zango's suit, saying Kaspersky's actions were shielded by the federal Communications Decency Act (CDA). That law contains a "good Samaritan" clause that protects computer services companies from liability for good faith efforts to block material that users may consider objectionable (portions of the CDA have been struck down by
Sat, 3 May 08
Stepped Up Cyber Role for Spy Agencies
http://blog.washingtonpost.com/securityfix/2008/05/stepped_up_cyber_role_fo
r_spy.html?nav=rss_blog
Read Brian Krebs's latest story on washingtonpost.com: "White House Plans Proactive Cyber-Security Role for Spy Agencies." America's spy agencies for the first time would be tasked with gathering intelligence on threats to the nation's computer networks under a policy set to be detailed by the White House next week, a senior administration official said Wednesday. Speaking at a security conference in Washington, the official said the Bush administration wants to harness the intelligence community's offensive capabilities in defense of government and civilian computer systems. Continue reading...
Fri, 2 May 08
Cyber Justice Chronicles
http://blog.washingtonpost.com/securityfix/2008/05/cyber_justice_chronicles
_1.html?nav=rss_blog
Security Fix is launching a new feature today called Cyber Justice Chronicles, which will periodically provide short snippets of news about individuals who have been arrested or convicted of computer crime offenses. Law enforcement takes its share of lumps for not doing enough to go after cyber crooks, and while the victories on that front may be few and far between, it seems worthwhile to highlight some of the successes: * On Wednesday, Justice Department officials said they had worked with officials from NASA and Nigerian law enforcement to win the conviction of Akeem Adejumo, a 22-year-old Nigerian man who pled guilty to hacking into a NASA employee's computer. Turns out, Adejumo and an unnamed NASA employee met via an online dating Web site. Adejumo admitted sending the woman an e-mail attachment that contained a keystroke logger, which allowed him to steal her personal information including bank account and Social