Security Fix
Main
Security
MalwareMSNBC Security
Security Fix
Security World News
Random Feeds
Archives
| Oct 2008 | Sep 2008 | Aug 2008 | Jul 2008 | Jun 2008 | May 2008 | Apr 2008 | Mar 2008 |Wed, 30 Jul 08
Exploit Prods Software Firms to Update Their Updaters
http://blog.washingtonpost.com/securityfix/2008/07/holes_in_software_autoup
date_f_1.html?nav=rss_blog
A security researcher has released a set of tools that make it simple for attackers to exploit weaknesses in the auto-update feature of many popular software titles. By targeting widely deployed programs such as Java, OpenOffice, Winamp and Winzip, that don't use a digital signature on their product updates, attackers can impersonate those companies and trick users into believing they are updating their software, when in reality the users may be uploading a package designed to compromise the security of their computer. Software companies should include these signatures in all of their updates, so that a user's computer can validate that the update was indeed sent by the vendor. For example, Microsoft signs all of its updates with an encryption key that only it knows, and Windows machines are configured to ignore any incoming software update alerts that are not signed with that key. For whatever reason, Java, Winamp, Winzip
Wed, 30 Jul 08
Three Quarters of Malicious Web Sites Are Hacked
http://blog.washingtonpost.com/securityfix/2008/07/75_percent_of_malicious_
web_si_1.html?nav=rss_blog
Three-quarters of all Web sites that try to foist malicious software on visitors are legitimate sites that have been hacked, a report released today found. Even worse, most of these compromised sites are social networking communities and some of the Internet's most popular destinations. Those numbers come from stats (PDF) collected in the first six months of this year by Websense, an online security company that scans more than 40 million Web sites hourly for signs that they may have been compromised by hackers. Websense found that 60 percent of the Top 100 most popular sites this year have either hosted malware or forwarded visitors to malicious sites. The company also says that nine out of 10 of those compromised sites were social networking or Web search sites. "The majority of these attacks are using Web properties as repositories for malware, mainly because they let users upload content," said Dan
Tue, 29 Jul 08
Critical Security Updates Available for RealPlayer
http://blog.washingtonpost.com/securityfix/2008/07/critical_security_update
s_avai.html?nav=rss_blog
RealNetworks has shipped a new version of its RealPlayer software to plug at least four serious security holes in the program. Updates are available for RealPlayer versions 10, 10.5 and 11 for Linux, Mac and Windows systems. Windows versions of RealPlayer are affected by all four vulnerabilities (two of the flaws are once again ActiveX related), while the Linux and Mac versions are exposed to just one of the holes. Regardless, the company is urging all users, regardless of platform, to upgrade their software. To see which version of RealPlayer you're using, select "Help," then "About in the program's menu. Windows users can use the "Check for updates" option. Linux and Mac updates are available here. Regular readers of this blog know that I am not a huge fan of RealPlayer. But there are alternatives. If you just need to hear streaming Real audio, the free and excellent VLC Media
Tue, 29 Jul 08
Gmail Gains Two New Security Features
http://blog.washingtonpost.com/securityfix/2008/07/gmail_gains_two_new_secu
rity_f_1.html?nav=rss_blog
Google this month rolled out two new security features to its free Gmail service. The first should protect users against people who might be lurking on your network trying to snoop or hijack your inbox. The other makes it easy for users to tell if they are signed on in more than one location and then remotely sign that machine out of your account. When you log in to your Gmail account, by typing http://mail.google.com into a Web browser, Gmail automatically switches you over to an https:// login - or secure sockets layer (SSL) - page that encrypts the authentication process so that anyone sniffing the local network cannot simply snag your username and password. The trouble is that if you initially log in to Gmail using a plain http:// (unencrypted) session, Gmail will pop you back into an unencrypted session after that temporary switch to https:// for the login.
Sat, 26 Jul 08
Man Gets 4 Years for ID Theft, Software Piracy
http://blog.washingtonpost.com/securityfix/2008/07/man_gets_4_years_for_id_
theft_1.html?nav=rss_blog
A 23-year-old Oregon man was sentenced this week to four years in federal prison for using computer viruses to steal financial data from dozens of consumers. Investigators say the man used the information to set up multiple eBay and PayPal accounts, which helped him sell more than $1 million worth of pirated software. Jeremiah Joseph Mondello, of Eugene, Ore., admitted distributing keystroke logging programs via online instant message networks. Investigators say he then used bank account credentials stolen from victims to set up more than 40 online auction accounts in the victims' names. The judgment is almost unheard of for a non-violent crime committed by an individual with no criminal history: Mondello will serve 48 months in jail, followed by three years of supervised release and 450 hours of community service. Federal investigators also seized computers and $220,000 in cash from Mondello. The government also is entitled to seize his
Sat, 26 Jul 08
Fortify Your Internet Security Settings Now
http://blog.washingtonpost.com/securityfix/2008/07/the_web_just_became_a_mu
ch_mor.html?nav=rss_blog
The Web became a substantially more dangerous place this week, thanks largely to the publication of instructions that show cyber criminals how to exploit a pervasive, critical flaw in the Internet infrastructure. While Internet service providers and corporations can mitigate the danger by updating the software that powers vulnerable components of their networks, data released yesterday indicates that only about half of the world's online population is currently protected by these updates. At issue is a basic design flaw in the domain name system. DNS is the communications standard that acts as a kind of telephone book for the Internet, translating human-friendly Web site names like example.com into numeric addresses that are easier for networking equipment to handle and route. When people type a Web site name into their Internet browser, the process of routing of that name to Internet address is generally handled through DNS servers managed by Internet
Fri, 25 Jul 08
Before You Go on That Vacation....
http://blog.washingtonpost.com/securityfix/2008/07/before_you_go_on_that_va
cation.html?nav=rss_blog
I thought I was paranoid about protecting my home from disasters and thieves before leaving on vacation. But it's nice to know there are some people out there who may be significantly more schizophrenic on this topic. A colleague sent me this primer (PDF) from the Institute for Security and Open Methodologies, which sports a checklist of at least 70 precautions to consider before you pack up the old familywagon for that road trip. Some of the gems embedded in this tip list include: If you have an alarm, dog, or a surveillance service then keep it discreet and leave the alarm or warning sign away. Professional thieves don't care about them and you take away the element of surprise (unless it's the bad for you kind of "Hey, surprise, we have a fake sign and no dog or alarm!" as they proceed to break in). Signs only inform a
Fri, 25 Jul 08
One Spammer Jailed, Another Walks
http://blog.washingtonpost.com/securityfix/2008/07/one_spammer_jailed_anoth
er_wal.html?nav=rss_blog
Spam king Robert Soloway was sentenced this week to 47 months in prison for sending more than 90 million junk e-mail messages over a three month period. Meanwhile, federal authorities are searching for a spammer who walked away from a prison camp on Sunday. Soloway pleaded guilty in March to mail fraud, and tax evasion. A federal judge still must decide how much restitution he will pay. In other news, Edward "Eddie" Davidson, a 35-year-old stock spammer who was sentenced in April to 21 months in prison, escaped from a prison camp in Florence, Colo., this week. According to this Associated Press story, Davidson was last seen roughly 90 miles north of the camp in the Denver suburb of Lakewood. Update, 11:18 p.m ET: The Denver Post is reporting that in a tragic turn of events, Davidson today shot and killed his wife and three-year-old daughter before turning the gun
Tue, 22 Jul 08
Firefox 3 Follows IE7's Security Settings
http://blog.washingtonpost.com/securityfix/2008/07/firefox_3_follows_ie7s_s
ecurit_1.html?nav=rss_blog
Firefox 3 users, who also have jacked up the security settings on Microsoft's Internet Explorer 7 to their most paranoid level, may find it trickier to download files with Firefox due to key changes recently made by Mozilla. In a Security Fix Live chat last Friday, a reader complained he or she couldn't download any file in Firefox unless she reduced the security settings in IE7. "I usually leave IE at high settings since I don't routinely use it....I tried reducing all the security settings in Firefox to make sure it wasn't the cause. And the problem exists without using noscript. Only reducing settings in IE allows downloads." An alert reader called me on my advice to this questioner, directing my attention to a heated discussion thread on the subject at DSL Reports that I had actually read a few weeks prior (doh!). Here's what's happening, according to Mozilla: "Starting
Thu, 17 Jul 08
Study: Site Redirects Abundant, Aid Phishers
http://blog.washingtonpost.com/securityfix/2008/07/study_site_redirects_abu
ndant_1.html?nav=rss_blog
An examination of nearly 2.5 million Web pages at some of the Internet's most popular and trusted sites turned up at least 128,000 links that could be manipulated by fraudsters and virus writers to make online scams more believable, a study released this month found. Scammers and phishers are taking advantage of commonly used coding used in "redirects" to divert traffic from reputable Web site to sites that could harbor malicious software or phishing schemes. Redirects aren't all bad. In essence, they are Web links that are used to forward traffic from one site to another. They can be useful when Web site owners want to move content around and don't want old links leading to dead pages. Redirects can help selectively re-route traffic: For instance, www.example.com may want to forward any requests for a specific Web page to a third-party site. In addition, well-known companies use redirects to forward
Tue, 15 Jul 08
Zone Alarm Update Fixes Microsoft Patch Problem
http://blog.washingtonpost.com/securityfix/2008/07/zone_alarm_update_fixes_
micros.html?nav=rss_blog
Microsoft last week shipped a security update that prevented users of the popular ZoneAlarm firewall products from getting online. ZoneAlarm maker Check Point Software initially told users to uninstall the Microsoft patch, but it has since issued version 7.0.483.0 to fix this problem. If you have ZoneAlarm set to automatically notify you of software updates, the new version should be offered when you restart the program or Windows. To manually check for updates: * Open ZoneAlarm and click on the "Check for Update" button. * Open your ZoneAlarm product interface * Go to Overview in the left-hand column * Click on the Preferences tab * Under "Check for Updates", click the "Check for Update" button. If you uninstalled the Microsoft update because of this problem, be sure to reinstall the patch (KB951748, a.k.a. MS08-037) after updating ZoneAlarm and rebooting. I mentioned this compatibility problem at the end of a blog
Sat, 12 Jul 08
A Baker's Dozen of Security Updates for iPhone 2.0
http://blog.washingtonpost.com/securityfix/2008/07/a_bakers_dozen_security_
update.html?nav=rss_blog
As expected, the 2.0 version of iPhone released today includes a number of security updates, patching more than a dozen holes in the slimmed-down OS X operating system that powers the devices. That means for those who already own Apple's mobile device, it's time to update. As detailed in a column last week, a number of these patches are updates that Apple shipped earlier this year for Safari and/or the version of OS X designed for Mac desktop and laptop computers. iPhone 2.0 bundles some 13 security updates, five of which address previously undocumented security flaws. Among the more notable (if not serious) patches: One fix for the gadget's Safari Web browser that was addressed by a number of other software makers (including Mozilla) back in June 2006. Another Safari update plugs a security hole that Apple sealed in its Microsoft Windows version of Safari last month. Another fix corrects
Sat, 12 Jul 08
Speeding In Maryland Could Be Hazardous to Your Identity
http://blog.washingtonpost.com/securityfix/2008/07/maryland_traffic_site_li
sts_so.html?nav=rss_blog
If you've ever received a traffic ticket in Maryland, your name, birthday, Social Security number and address may be posted on the Maryland state Web site for anyone to find, Security Fix has learned. Reader Mark Webster from Annandale, Va., alerted me that the official Maryland court records Web site lists the personal data of countless citizens. The citations listed go back more than 30 years, and include records even for routine traffic stops that were ultimately dismissed. The records with sensitive data in them appear to be limited to tickets issued to people who currently or at one time lived in a state that previously used the Social Security number as the default driver's license or customer number. Searching through records in the database for tickets issued to surnames "Johnson" and "Smith" confirmed that those states include Delaware, Connecticut, Iowa, Missouri and Virginia. Probably close to half of the
Fri, 11 Jul 08
Ghosts of Java Haunt Users
http://blog.washingtonpost.com/securityfix/2008/07/remnant_java_versions_ag
ain_po.html?nav=rss_blog
Sun Microsystems has issued updates for its ubiquitous Java software to plug multiple security holes. Of particular interest in this bundle is a fix that prevents attackers from exploiting vulnerabilities in older versions of the software. Why is this a big deal, you ask? Aren't patches designed to fix vulnerabilities in older versions of the software? Well, yes, but as Security Fix has lamented time and again, Sun's updates are notorious for leaving older versions of the software lying all over the user's machine. If this conundrum sounds familiar, you're not crazy (although you might be a geek). Roughly two years ago, Sun quietly acknowledged in a security update that it had fixed a very similar flaw -- even if the latest, patched version was installed and set as the authoritative version to be used by both the operating system and the user's default Web browser. A PR firm, hired
Thu, 10 Jul 08
U.S. Supreme Court Judge Data Exposed Via P2P
http://blog.washingtonpost.com/securityfix/2008/07/us_supreme_court_judge_d
ata_ex_1.html?nav=rss_blog
The Washington Post today ran a story I wrote on a data breach of a local investment firm that exposed the names, birth dates and Social Security numbers of some of the Washington area's most powerful attorneys, including Supreme Court Justice Stephen Breyer. I was able to trace the breach back to a former employee who accidentally shared the company's client list while browsing for files on the LimeWire peer-to-peer network. I'm calling attention to this story because this morning I heard from reader Christopher Lynt, a patent attorney from Virginia whose personal data was included in the file exposed via P2P. He told me that last July, an identity thief used his SSN and birth date to have $1,000 wired to Mexico from Lynt's bank and credit accounts. His tale caught my attention because I'd heard a nearly identical account from another attorney I contacted for today's story who
Wed, 9 Jul 08
Patch (The Entire Internet) Tuesday
http://blog.washingtonpost.com/securityfix/2008/07/patch_the_entire_interne
t_tues_1.html?nav=rss_blog
Security experts are scrambling to patch a newly-discovered security flaw in a key component of the Internet infrastructure that could expose consumers and businesses to increased risk of attack by scam artists and virus writers. Yesterday, computer software and hardware industry leaders, including Cisco, Microsoft, and Sun Microsystems, coordinated the release of software updates to plug the security hole, which involves a fundamental design flaw in the domain name system. DNS is the communications standard that acts as a kind of telephone book for the Internet, translating human-friendly Web site names like example.com into numeric addresses that are easier for networking equipment to handle and route. Dan Kaminsky, director of penetration testing for Seattle-based security firm IOActive and the discoverer of the vulnerability, said attackers could use the flaw to "poison" the DNS records of network providers. In such an attack scenario, when customers of a targeted ISP try to
Tue, 8 Jul 08
Microsoft: Hackers Exploiting Unpatched Office Flaw
http://blog.washingtonpost.com/securityfix/2008/07/microsoft_hackers_exploi
ting_u_2.html?nav=rss_blog
Microsoft today issued stopgap instructions for plugging a previously unknown security hole that hackers are currently using to break into Windows computers via the Internet Explorer (IE) Web browser. The problem, once again, is with a faulty ActiveX control. ActiveX is a Windows technology that works through IE and allows Web sites to add software to the user's computer or interact with components in the Windows operating system. In this case, the insecure component is an ActiveX control called "Snapshot Viewer," which ships with all versions of Microsoft Office 2000, Office 2002, and Office 2003. The flawed ActiveX control also is also shipped with the standalone Snapshot Viewer. Microsoft warns that merely browsing with IE to a malicious (or hacked) Web site that exploits this vulnerability could be enough to compromise your system. So far, Redmond says it is seeing only "limited, targeted attacks" leveraging the vulnerability. But, of course,
Fri, 4 Jul 08
Lithuania Weathers Cyber Attack, Braces for Round 2
http://blog.washingtonpost.com/securityfix/2008/07/lithuania_weathers_cyber
_attac_1.html?nav=rss_blog
Hundreds of Lithuanian government and corporate Web sites were hacked and plastered with Soviet-era symbols and other digital graffiti this week in what appears to be a coordinated cyber attack launched by Russian hacker groups. A New York Times story reports that Lithuanian officials did not directly accuse Russian hackers of initiating the attacks, but said they had come from foreign computers. However, iDefense, a security intelligence firm, based in Reston, Va., attributed the attacks to nationalistic Russian hacker groups protesting a new Lithuanian law banning the display of Soviet emblems, including honors won during World War II. According to Lithuanian media reports, the attacks shut down the Web sites of the national ethics body, the securities and exchange commission, the Lithuanian Social Democratic Party, among others. iDefense said hacker groups used Internet forums and blasted spam e-mails to spotlight a manifesto called "Hackers United Against External Threats to Russia,"
Thu, 3 Jul 08
Apple iPhone Four Months Behind OS X in Patches
http://blog.washingtonpost.com/securityfix/2008/07/apple_iphone_four_months
_behin_1.html?nav=rss_blog
Apple's iPhone runs a miniature version of OS X, the operating system that powers Mac computers. So it's fitting that Apple designed the iPhone to check for security updates whenever users fire up iTunes with their iPhone attached. But it might surprise iPhone users to learn that the latest security update available for the iPhone dates back to February, and that a number of serious security vulnerabilities that Apple long ago patched in OS X remain unaddressed in the most recent version of the iPhone. In seeking confirmation of this, I spoke recently with Charlie Miller, one of the foremost OS X and iPhone security researchers. Miller confirmed that the iPhone updater tells users that if they have version 1.1.4 installed then they are running the most current version. The problem is that this update does not include fixes for a slew of security holes in the Safari Web browser
Thu, 3 Jul 08
Breach Exposes Info on Pre-'06 Google Hires
http://blog.washingtonpost.com/securityfix/2008/07/data_breach_exposes_info
_on_pr.html?nav=rss_blog
A data breach at a California company that administers benefit plans to businesses across the country involved personal information on all Google employees hired prior to Dec. 31, 2005, the search engine giant said. Google's disclosure came in a letter (PDF) to the New Hampshire Attorney General, which revealed that Google was a victim of a break-in at Colt Express Outsourcing Services Inc.. Last month, Colt warned that the theft of computer equipment from its offices resulted in the loss of the names, birth dates and Social Security numbers of 6,500 CNET Networks employees. Google said that same information from its employees also was included on the missing equipment. The letter notes that while "the break-in did not occur on Google property, and did not involve any computers, facilities or data associated with Google products," the company has nonetheless engaged Kroll Inc. -- a New York-based risk consulting firm --
Wed, 2 Jul 08
Apple Pushes Peck of Patches
http://blog.washingtonpost.com/securityfix/2008/07/apple_pushes_peck_of_pat
ches.html?nav=rss_blog
Apple on Monday issued software updates to plug more than two dozen security holes in its OS X operating systems and various software applications. The company also issued a patch to fix a security vulnerability in Safari for the Mac (this issue was already addressed in a previous update for Windows XP and Vista versions of Safari). The updates are available through Apple Software Update or directly from Apple Downloads. Apple does not apppear to have fixed the rather serious vulnerability in its Apple Remote Desktop program, which allows any program to run on a Mac user's machine without first prompting the user to enter his or her user name and password. Given that a team of hackers has now released a Trojan toolkit that can be used to seamlessly piggyback malicious software onto any downloadable application, I half expected Apple to fix that vulnerability, as the fix itself is
Wed, 2 Jul 08
Amazon: Hey Spammers, Get Off My Cloud!
http://blog.washingtonpost.com/securityfix/2008/07/amazon_hey_spammers_get_
off_my.html?nav=rss_blog
I am accustomed to receiving e-mail from Amazon.com, as I am a fiercely loyal customer who shops there quite frequently. But it took me by surprise this weekend to discover that that mounds of porn spam and junk e-mail laced with computer viruses are actively being blasted from digital real estate leased to the e-commerce giant. I wasn't the only one who spotted it. Websense Security Labs issued an alert about the spam attacks on Monday, but it didn't name Amazon as the source. The advisory rightly noted that it had discovered "a substantial number of spam messages utilizing a reliable social engineering trick." The junk mail claims to have been sent from Microsoft, and urges the recipient to install an attached security update. Windows users who fall for the ruse will have their systems infected with a backdoor Trojan horse program that gives the attackers easy access with which
Wed, 2 Jul 08
Forty Percent of Web Users Surf With Unsafe Browsers
http://blog.washingtonpost.com/securityfix/2008/07/40_percent_of_web_users_
surf_w_1.html?nav=rss_blog
A comprehensive new study of online surfing habits released today found that only 60 percent of the planet's Internet users surf the Web with the latest, most-secure versions of their preferred Web browsers. The study, conducted by researchers from Google, IBM and the Communication Systems Group in Switzerland, relied on data from server logs provided by Google for search requests between Jan. 2007 and June 2008. The researchers found that of the 1.4 billion Internet users worldwide at the end of March 2008, 576 million surfed with outdated versions of Web browsers. The researchers also concluded that as a group, Mozilla Firefox users were the most likely to be using the latest, most secure and stable version of the browser: 83.3 percent of Firefox users were found to have the latest version installed at any given time. That's notably more than Web surfers using the latest versions of Safari (65.3
Tue, 1 Jul 08
Data Breach Reports Up 69 Percent in 2008
http://blog.washingtonpost.com/securityfix/2008/06/data_breach_reports_up_6
9_perc_1.html?nav=rss_blog
Businesses, governments and universities reported a record number of data breaches in the first half of this year, a 69 percent increase over the same period in 2007 driven by a spike in data thefts attributed to employees and contractors, according to an analysis by identity theft experts. The San Diego-based Identity Theft Resource Center tracked 342 data breach reports from Jan. 1 to June 27. Nearly 37 percent of reports came from businesses -- an increase from almost 29 percent last year. Data breach reports from health care providers (14.9 percent of the total) and banks (10 percent) continued to rise, while the share of breaches from educational institutions (21.3 percent of the total) government entities and the military (17 percent) declined for the third year in a row, the ITRC found. Hacking was the least-cited cause of data breaches in the first six months of 2008 (11.7 percent