Security Fix
Main
Security
MalwareMSNBC Security
Security Fix
Security World News
Random Feeds
Archives
| Oct 2008 | Sep 2008 | Aug 2008 | Jul 2008 | Jun 2008 | May 2008 | Apr 2008 | Mar 2008 |Sat, 30 Aug 08
FBI Warns of Hit Man Scam Resurgence
http://voices.washingtonpost.com/securityfix/2008/08/fbi_warns_of_hit_man_s
cam_resu.html?nav=rss_blog
The FBI is warning people not to be disturbed by an e-mail scam that threatens your life and orders you to pay up to avoid being the target of a hired hit man. The FBI said its Internet Crime Complaint Center continues to receive thousands of reports concerning the hit man e-mail scheme. The FBI notes that while the content of the missive has evolved since similar hit man scams first surfaced in late 2006, the message remains the same, claiming the sender has been hired to kill the recipient. In some cases, the use of names, titles, addresses, and telephone numbers of government officials and business executives, and/or the victims' personal information are used in an attempt to make the fraud appear more authentic, the FBI said. I've heard about these scams before, but never actually seen one of the e-mails until today. Below is a copy of one
Fri, 29 Aug 08
Report Slams U.S. Host as Major Source of Badware
http://voices.washingtonpost.com/securityfix/2008/08/report_slams_us_host_a
s_major.html?nav=rss_blog
Last week, I examined a series of Web services that make profiting from cyber crime a point-and-click exercise that even the most novice hackers can master. Today, I'd like to highlight the activities of Atrivo, a Concord, Calif., based network provider that hosts some of these services. Several noted security researchers are releasing a report today that stems from many months of investigating malicious activity emanating from Atrivo's customers. Security experts say that Atrivo, also known as "Intercage," has long been a major source of spyware, adware, viruses and fake anti-virus products. The report is an exhaustive and well-researched analysis of Atrivo and its operations. Some of the statistics on active exploits cited in that report come from data sets I commissioned during my own investigation of Atrivo and later shared with Jart Armin, the principal author of the report and curator of the blog hostexploit.com. Looking back several years,
Thu, 28 Aug 08
White House Imposes New Security Mandate for Federal Agencies
http://voices.washingtonpost.com/securityfix/2008/08/dns_security_mandatory
_for_all.html?nav=rss_blog
The Bush administration has ordered all federal agencies to adopt new measures to shore up the security of government Web sites, setting a January 2009 deadline for implementing the changes across all dot-gov domains. Agencies will be required to roll out domain name system security extensions (DNSSEC), a set of security add-ons for the domain name system. DNS is a fundamental piece of the Internet infrastructure that acts as a kind of distributed Internet phone book used to route messages between computers. The trouble with the current implementation of DNS is that it was developed and implemented in an era when the Internet was a much smaller and friendlier place, where the handful of researchers who used the system trusted one another. These days, however, cyber crooks are eager to divert Internet traffic to fraudulent or hostile sites by constantly seeking to poison the DNS records on consumer PCs and
Tue, 26 Aug 08
Web Fraud 2.0: Thwarting Anti-Spam Defenses
http://voices.washingtonpost.com/securityfix/2008/08/web_fraud_20_defeating
_anti-sp.html?nav=rss_blog
Spammers have made great strides this past year in defeating CAPTCHAs, the distorted text used as a security test to ensure a person and not a machine is behind a computer screen. But automated programs that spammers use to thwart CAPTCHAs still aren't nearly as successful as the practice of hiring thousands of people to do nothing but remotely solve the puzzles for clients. This is the business model behind anti-captcha.com, a subscription service that offers spammers a cheap way to solve CAPTCHAs, or "Completely Automated Public Turing test to tell Computers and Humans Apart." Google, Yahoo and other e-mail and Web service providers employ CAPTCHAs to stop spammers and other bad guys from using automated processes to create hundreds or thousands of fake accounts. Those new accounts, of course, are not logged yet by anti-spam filters, so they give spammers a new platform to deliver their garbage. Also, Google's
Sat, 23 Aug 08
Web Fraud 2.0: Distributing Your Malware
http://voices.washingtonpost.com/securityfix/2008/08/web_fraud_20_distribut
ing_your.html?nav=rss_blog
The allure of cyber crime lies in its promise of quick riches, much like that of the illegal drug trade. But building a network of hacked personal computers that can distribute your data-stealing malicious software is a time-consuming process that requires a modicum of skill. That is, until recently, when several online services have emerged that promise to help would-be cyber crooks graduate from common street dealers to distributors overnight. Such is the aim of services like "loads.cc," which for a small fee will take whatever malware you provide and inject it into a pre-selected number of PCs already compromised and under the thumb of the service owners. Currently, loads.cc claims to have 264,552 hacked systems in more than a dozen countries that it can use as hosts for any malicious software that clients want to install. The latest details from the "statistics" page displayed for members says the service
Fri, 22 Aug 08
Opera Update Plugs Multiple Security Holes
http://voices.washingtonpost.com/securityfix/2008/08/opera_update_plugs_mul
tiple_se.html?nav=rss_blog
Opera has released a software update that fixes at least seven security vulnerabilities in the Web browser program. Users may be prompted to update when they first launch the browser. Alternatively, Opera surfers can simply select "Help" and "Check for New Release." Opera 9.52 corrects a number of bugs in addition to the security problems. You can read more about what's included in the update on Opera's Web site. I've been trying to split more of my daily browsing between different browsers, just to try out more features and become more familiar with the intricacies of each. I enjoy using Opera, but I'm a little surprised the company hasn't yet transitioned to automatic updates for users. Last month, a massive study based on browser data collected by Google showed that only slightly more than half of Opera users are surfing with the most recent, patched version of the browser. By
Fri, 22 Aug 08
Web Fraud 2.0: Digital Forgeries
http://voices.washingtonpost.com/securityfix/2008/08/web_fraud_20_digital_f
orgeries.html?nav=rss_blog
For businesses, positively identifying someone online - by name, or physical location - is extremely difficult. Many Internet firms seek to verify the identity of customers by requesting scanned copies of their driver's licenses, passports, or utility bills. But what if services aimed at creating counterfeit versions of these documents became widespread? How long would businesses continue to rely on this method of identification? Unfortunately, there are several such services. Among the most active is a site called scanlab.name. For roughly $35 USD, you provide the site with the type of document or credential you're seeking and the identifying information you want to appear on it and scanlab will produce a very authentic-looking digital image that appears to be a scanned copy of said item. For example, let's say I'm a scammer and I've just gained access to someone's online account and I want to move their funds to my
Thu, 21 Aug 08
Web Fraud 2.0: Validating Your Stolen Goods
http://voices.washingtonpost.com/securityfix/2008/08/web_fraud_20_try_befor
e_you_bu.html?nav=rss_blog
If there is any truth to the old saying that there is no honor among thieves then it is doubly true for thieves who transact with one another yet never actually meet face-to-face. Perhaps that explains the popularity of certain services in the underground cyber crime economy that make it easy for crooks to purchase stolen credit and bank accounts in bulk and check whether the accounts are legitimate and active. From the many hours Security Fix spent skulking around some of the more active cyber crime communities online recently, I saw a site called sh0pp0rtal.net mentioned quite a bit. I managed to acquire an account on this exclusive service, and found some 78,628 individual MasterCard and Visa credit and debit accounts for sale at various prices there. As one can see from the screen shot to the left, users can select cards that come from victims in particular cities,
Wed, 20 Aug 08
Web Fraud 2.0: Cloaking Connections
http://voices.washingtonpost.com/securityfix/2008/08/web_fraud_20_tools.htm
l?nav=rss_blog
These days, nearly every aspect of the underground online economy that supports commercial crime operations has been automated. Online forums and criminal social networking sites have long offered aspiring newbies tips on getting started. But a slew of extremely popular Web sites increasingly are making it possible for newcomers to begin reaping profits from their activities through point-and-click Web interfaces that even the most novice hackers can navigate. What follows today and throughout the rest of the week is a look at some trends and tools Security Fix observed being used by cyber crooks, as a result of several months of lurking on some of the more popular (and in some cases invite-only) cyber criminal forums. Even the greenest cyber crook knows you never use your own Internet connection to conduct business. In the past, masking your true Internet address online meant configuring your browser to use multiple "open proxies,"
Tue, 19 Aug 08
Q&A With FBI's Cyber Division Chief
http://voices.washingtonpost.com/securityfix/2008/08/qa_with_fbis_cyber_cri
me_chief.html?nav=rss_blog
At the end of the Black Hat hacker convention in Las Vegas a week ago Thursday, I had a few minutes to sit down with James Finch, head of the FBI's Cyber Division. What follows is an excerpted Q&A from that discussion, in which Finch describes himself as a serious geek who refuses to be spooked by organized cyber criminal gangs that target online banking customers and other 'Netizens. Q: I see you've got a nice MacBook Pro there. Are you a pure Mac user? A: No, I am not. I raised my daughters on Windows machines, but my 4-year-old son, I'm raising him on a Mac. I just bought him an iMac. I prefer flavors of Unix over Windows. Q: Which flavors? A: Well, I'm running SUSE, Fedora 9. I don't spend as much quality time with these operating systems as I used to. Q: So what does the
Wed, 13 Aug 08
Microsoft Patches 26 Security Holes
http://voices.washingtonpost.com/securityfix/2008/08/microsoft_patches_26_s
ecurity.html?nav=rss_blog
Microsoft today released updates to fix at least 26 security vulnerabilities in its Windows operating systems and other software. At least 17 of those flaws earned Microsoft's "critical" rating, meaning they could be exploited to break into vulnerable systems with little or no help from the victim. The 26 vulnerabilities are the most Microsoft has addressed since it had 25 in August of 2006, which also included 17 rated as critical, according to anti-virus firm Symantec. Microsoft patched two holes in that have already been used in targeted attacks against people browsing the Web with Internet Explorer 6 and 7. In addition to those two fixes, one bundle of critical updates plugs five other security holes in Internet Explorer, most of which Microsoft said are present all versions of the browser. Half of the flaws fixed in today's release were found in Microsoft Office and component programs, such as Excel,
Mon, 11 Aug 08
New Tool to Automate Cookie Stealing from Gmail, Others
http://voices.washingtonpost.com/securityfix/2008/08/new_tool_automates_coo
kie_stea.html?nav=rss_blog
LAS VEGAS, NEV. -- If you use Gmail and haven't yet taken advantage of a feature Google 
unveiled last week to prevent hackers from hijacking your inbox, now would be an excellent time to do that. A security researcher at the Defcon hacker conference in Las Vegas on Saturday demonstrated a tool he built that allows attackers to break into your inbox even if you are accessing your Gmail over a persistent, encrypted session (using https:// versus http://).
 When you log in to Gmail, Google's servers will place what's called a "session cookie," or small text file, on your machine. The cookie identifies your machine as having presented the correct user name and password for that account, and it can allow you to stay logged in to your account for up to two weeks if you don't manually log out (after which the cookie expires and you are forced to
Sun, 10 Aug 08
Georgian Web Sites Under Attack
http://voices.washingtonpost.com/securityfix/2008/08/georgian_web_sites_und
er_attac.html?nav=rss_blog
As Russian bombs rained down on towns in separatist towns of the former Soviet republic of Georgia, hackers mounted a digital assault on the nation's top Web properties this week, knocking government Web sites offline and defacing others. According to reports from security experts who have been monitoring the ongoing cyber attacks, the Web site for the office of Georgia Foreign Affairs (mfa.gov.ge) was hacked, and its homepage was replaced with images depicting Georgia's president as a Nazi. That site is currently offline. Other Georgian Web properties, such as the Caucasus Network Tbilisi -- key Georgian commercial Internet servers -- remain under sustained attack from thousands of compromised PCs aimed at flooding the sites with so much junk Web traffic that they can no longer accommodate legitimate visitors. Security Blogger Jart Armin has been tracking the attacks by conducting Internet traces and lookups at key Georgian Web properties. The apparently
Sat, 9 Aug 08
Wireless Awareness: Don't Be A Sheep
http://voices.washingtonpost.com/securityfix/2008/08/wireless_awareness_don
t_be_a_s.html?nav=rss_blog
LAS VEGAS, NEV. -- iPhones and other mobile devices with wireless access were among the top contributors to this year's "Wall of Sheep," a public shaming exercise debuting at the Black Hat security conference in Las Vegas this week that aims to educate people about the dangers of sending e-mail and other online communications over open wireless networks. Conference organizers issued a clear warning to attendees: If you check your e-mail or communicate using the ubiquitous conference wireless network, be sure to do so over an encrypted connection (https:// versus http://). Otherwise, your credentials will be projected onto a wall where everyone will ridicule your seeming inability to grasp a fundamental tenet of online security. Apparently, a fair number of the most well-trained security professionals ignored this advice. The team responsible for monitoring the Black Hat wireless network posted more than 30 sets of credentials, many from individuals who had
Fri, 8 Aug 08
Researchers Warn of Social Networking Scams
http://voices.washingtonpost.com/securityfix/2008/08/researchers_warn_of_so
cial_net.html?nav=rss_blog
LAS VEGAS, NEV. -- Social networking sites like Facebook, MySpace and LinkedIn are fast emerging as some of the most fertile grounds for malicious software, identity thieves and online mischief-makers. And while some of the talks given here at the Black Hat hacker conference would probably make most people want to avoid social networking sites altogether, it turns out that staying off of these networks entirely may not be the safest option either. The biggest danger from social networking sites is that they are all tripping over themselves to embed powerful functionality that most subscribers will never use, said Shawn Moyer, chief information security officer at Agura Digital Security, a Web and network security firm. Speaking with Nathan Hamiel, senior consultant for Idea Information Security, Moyer co-presented a talk today called "Satan is on My Friends List," in which he demonstrated a plethora of ways that user-created applications popular on
Fri, 8 Aug 08
Online Crime Gang Stole Millions
http://voices.washingtonpost.com/securityfix/2008/08/online_crime_gang_stol
e_millio.html?nav=rss_blog
LAS VEGAS, NEV. -- To gain a grasp of just how badly organized cyber-crime groups are fleecing American banks and consumers, it may be instructive to look at the details released this week about the operations of a single online crime gang, that is responsible for undoubtedly the largest cache of stolen data ever uncovered. The info comes from Joe Stewart, a researcher with Atlanta based SecureWorks who has been studying the operations of a group responsible for distributing "Coreflood," a remote-access Trojan that the bad guys are using to hide their activities online and steal data from infected systems. By gaining access to an online server used to control the CoreFlood network, Stewart was able to gain a rare glimpse inside the operations of an operation that compromised more than 378,000 systems over the past 16 months. He found more than 500 gigabytes of stolen banking credentials and other
Thu, 7 Aug 08
Kaminsky Details DNS Flaw at Black Hat Talk
http://voices.washingtonpost.com/securityfix/2008/08/kaminsky_details_dns_f
law_at_b.html?nav=rss_blog
LAS VEGAS, NEV. -- Roughly 85 percent of Fortune 500 companies have patched their networks to fix a security flaw that lets cyber criminals redirect visitors to counterfeit or malicious Web sites, but Internet users still remain at grave risk due to the large number of infrastructure providers that have not yet addressed the issue, a prominent security researcher warned today. The data comes from a talk presented here at the Black Hat security conference in Las Vegas by Dan Kaminsky, the Seattle based IOActive researcher who discovered a fairly trivial way that bad guys could corrupt records found in the domain name system (DNS) and fill them with inaccurate information. On July 8, Microsoft, Cisco, Sun Microsystems and dozens of other Internet companies shipped software updates to fix this fundamental design in DNS, the communications standard that acts as a kind of phone book for the Internet, translating human-friendly
Thu, 7 Aug 08
Microsoft to Open Kimono on Security Patches
http://voices.washingtonpost.com/securityfix/2008/08/microsoft_to_open_kimo
no_on_se.html?nav=rss_blog
In a bid to help the security industry stay a step ahead of cyber crooks, Microsoft will release additional details behind the vulnerabilities it patches each month to anti-virus companies and other large vendors of Windows security software. While Microsoft already provides a brief fact sheet of which components of Windows will be fixed prior to its regular patch releases on the second Tuesday of each month, known as "Patch Tuesday," security vendors say additional details will help them more swiftly update their software to detect the latest attacks. In particular, software companies rarely have enough time to develop attack "signatures," snippets of code or Internet traffic, that when found on a network or PC could indicate an attacker is trying to leverage the flaws. Under a new program starting with October's Patch Tuesday cycle, Microsoft will begin releasing technical details that should allow security vendors to very quickly develop
Thu, 7 Aug 08
Apple Patches DNS Flaw and 16 Other Holes
http://voices.washingtonpost.com/securityfix/2008/08/apple_patches_dns_flaw
_and_16.html?nav=rss_blog
Apple released updates to fix at least 17 different security holes in its OS X operating system and other software late Thursday, including a patch for the domain name system (DNS) vulnerability that many other affected vendors addressed nearly three weeks ago. Security Update 2008-005 patches a serious flaw in the DNS that could allow hackers to hijack users' Internet connections or silently redirect them to counterfeit Web sites. Cisco, Microsoft, Sun Microsystems and a host of Linux projects pushed out a coordinated fix for the flaw on July 8, when it was first disclosed, and Apple immediately took heat for not releasing its patch then as well. My guess is that Apple planned all along to release its patch this week or early next. Dan Kaminsky, the researcher who discovered the DNS flaw and helped coordinate the release of the patches to fix it, tried to withhold details about
Thu, 7 Aug 08
Black Hat Talk on Apple Encryption Flaw Pulled
http://voices.washingtonpost.com/securityfix/2008/07/black_hat_talk_on_appl
e_encryp_1.html?nav=rss_blog
A security researcher who was set to speak at the Black Hat hacker convention in Las Vegas next week on a previously undiscovered flaw in Apple's FileVault encryption system has canceled his talk, citing confidentiality agreements with the Cupertino computer maker. Charles Edge, a researcher from Georgia, had been slated to discuss his research on a weakness that could be used to defeat FileVault encryption on the Mac. But sometime last week, Black Hat organizers pulled his name and presentation listing from its schedule of talks. Contacted via cell phone, Edge said he signed confidentiality agreements with Apple, which prevents him from speaking on the topic and from discussing the matter further. Almost every year, much of the drama leading up to and during Black Hat seems to revolve around talks that are canceled or censored at the last minute for various legal reasons. At Black Hat 2007, well-known reverse
Thu, 7 Aug 08
Senate Approves Bill to Fight Cyber-Crime
http://voices.washingtonpost.com/securityfix/2008/07/senate_approves_bill_t
o_fight.html?nav=rss_blog
The Senate on Wednesday passed legislation to modernize the nation's computer crime laws and give prosecutors more leeway in pursuing cyber crooks. Under current federal cyber-crime laws prosecutors must show that the illegal activity caused at least $5,000 in damages before they can bring charges for unauthorized access to a computer. Under the bill approved today, that threshold would be eliminated. Instead, the legislation would make it a felony to install spyware or keystroke-monitoring programs on 10 or more computers regardless of the amount of damage caused. This change is important because most of today's cyber criminals break into thousands of computers at a time, but seldom inflict $5,000 worth of damages on any one individual. Moreover, while most commit their crimes by tunneling their connections through hacked computers, the crooks may never damage the PCs they are using as a proxy or try to steal personal and financial data
Thu, 7 Aug 08
Fun with Spam Subject Lines
http://voices.washingtonpost.com/securityfix/2008/07/fun_with_spam_subject_
lines.html?nav=rss_blog
I've been checking my spam filter, just for the fun of it, as the spammmers are writing more timely and entertaining subject lines as an enticement to get people to open their missives. Take the following spam headlines, for example, that appeared in the last 48 hours. All capitalize on public attention to current events, such as the U.S. presidential election, or the 2008 Olympics. Hillary Clinton Sues Barack Obama Obama Is Anorexic Over-Exerciser President Bush Legalizes Gay Marriages U.S. Olympians Stopped at China Customs Terrorist Threats on Beijing Olympics Discovered Spammers and scam artists are notoriously lazy, and spelling and grammatical errors have long been a telltale sign of a scam Web site or e-mail come-ons. But what's particularly remarkable about these subject lines is that they are all grammatically correct. Take this subject line, which purports to bring news about the untimely demise of the CEO of Apple
Thu, 7 Aug 08
Exploit Prods Software Firms to Update Their Updaters
http://voices.washingtonpost.com/securityfix/2008/07/holes_in_software_auto
update_f_1.html?nav=rss_blog
A security researcher has released a set of tools that make it simple for attackers to exploit weaknesses in the auto-update feature of many popular software titles. By targeting widely deployed programs such as Java, OpenOffice, Winamp and Winzip, that don't use a digital signature on their product updates, attackers can impersonate those companies and trick users into believing they are updating their software, when in reality the users may be uploading a package designed to compromise the security of their computer. Software companies should include these signatures in all of their updates, so that a user's computer can validate that the update was indeed sent by the vendor. For example, Microsoft signs all of its updates with an encryption key that only it knows, and Windows machines are configured to ignore any incoming software update alerts that are not signed with that key. For whatever reason, Java, Winamp, Winzip
Thu, 7 Aug 08
Three Quarters of Malicious Web Sites Are Hacked
http://voices.washingtonpost.com/securityfix/2008/07/75_percent_of_maliciou
s_web_si_1.html?nav=rss_blog
Three-quarters of all Web sites that try to foist malicious software on visitors are legitimate sites that have been hacked, a report released today found. Even worse, most of these compromised sites are social networking communities and some of the Internet's most popular destinations. Those numbers come from stats (PDF) collected in the first six months of this year by Websense, an online security company that scans more than 40 million Web sites hourly for signs that they may have been compromised by hackers. Websense found that 60 percent of the Top 100 most popular sites this year have either hosted malware or forwarded visitors to malicious sites. The company also says that nine out of 10 of those compromised sites were social networking or Web search sites. "The majority of these attacks are using Web properties as repositories for malware, mainly because they let users upload content," said Dan
Thu, 7 Aug 08
Critical Security Updates Available for RealPlayer
http://voices.washingtonpost.com/securityfix/2008/07/critical_security_upda
tes_avai.html?nav=rss_blog
RealNetworks has shipped a new version of its RealPlayer software to plug at least four serious security holes in the program. Updates are available for RealPlayer versions 10, 10.5 and 11 for Linux, Mac and Windows systems. Windows versions of RealPlayer are affected by all four vulnerabilities (two of the flaws are once again ActiveX related), while the Linux and Mac versions are exposed to just one of the holes. Regardless, the company is urging all users, regardless of platform, to upgrade their software. To see which version of RealPlayer you're using, select "Help," then "About in the program's menu. Windows users can use the "Check for updates" option. Linux and Mac updates are available here. Regular readers of this blog know that I am not a huge fan of RealPlayer. But there are alternatives. If you just need to hear streaming Real audio, the free and excellent VLC Media
Thu, 7 Aug 08
Gmail Gains Two New Security Features
http://voices.washingtonpost.com/securityfix/2008/07/gmail_gains_two_new_se
curity_f_1.html?nav=rss_blog
Google this month rolled out two new security features to its free Gmail service. The first should protect users against people who might be lurking on your network trying to snoop or hijack your inbox. The other makes it easy for users to tell if they are signed on in more than one location and then remotely sign that machine out of your account. When you log in to your Gmail account, by typing http://mail.google.com into a Web browser, Gmail automatically switches you over to an https:// login - or secure sockets layer (SSL) - page that encrypts the authentication process so that anyone sniffing the local network cannot simply snag your username and password. The trouble is that if you initially log in to Gmail using a plain http:// (unencrypted) session, Gmail will pop you back into an unencrypted session after that temporary switch to https:// for the login.
Thu, 7 Aug 08
Man Gets 4 Years for ID Theft, Software Piracy
http://voices.washingtonpost.com/securityfix/2008/07/man_gets_4_years_for_i
d_theft_1.html?nav=rss_blog
A 23-year-old Oregon man was sentenced this week to four years in federal prison for using computer viruses to steal financial data from dozens of consumers. Investigators say the man used the information to set up multiple eBay and PayPal accounts, which helped him sell more than $1 million worth of pirated software. Jeremiah Joseph Mondello, of Eugene, Ore., admitted distributing keystroke logging programs via online instant message networks. Investigators say he then used bank account credentials stolen from victims to set up more than 40 online auction accounts in the victims' names. The judgment is almost unheard of for a non-violent crime committed by an individual with no criminal history: Mondello will serve 48 months in jail, followed by three years of supervised release and 450 hours of community service. Federal investigators also seized computers and $220,000 in cash from Mondello. The government also is entitled to seize his
Thu, 7 Aug 08
Fortify Your Internet Security Settings Now
http://voices.washingtonpost.com/securityfix/2008/07/the_web_just_became_a_
much_mor.html?nav=rss_blog
The Web became a substantially more dangerous place this week, thanks largely to the publication of instructions that show cyber criminals how to exploit a pervasive, critical flaw in the Internet infrastructure. While Internet service providers and corporations can mitigate the danger by updating the software that powers vulnerable components of their networks, data released yesterday indicates that only about half of the world's online population is currently protected by these updates. At issue is a basic design flaw in the domain name system. DNS is the communications standard that acts as a kind of telephone book for the Internet, translating human-friendly Web site names like example.com into numeric addresses that are easier for networking equipment to handle and route. When people type a Web site name into their Internet browser, the process of routing of that name to Internet address is generally handled through DNS servers managed by Internet
Thu, 7 Aug 08
Before You Go on That Vacation....
http://voices.washingtonpost.com/securityfix/2008/07/before_you_go_on_that_
vacation.html?nav=rss_blog
I thought I was paranoid about protecting my home from disasters and thieves before leaving on vacation. But it's nice to know there are some people out there who may be significantly more schizophrenic on this topic. A colleague sent me this primer (PDF) from the Institute for Security and Open Methodologies, which sports a checklist of at least 70 precautions to consider before you pack up the old familywagon for that road trip. Some of the gems embedded in this tip list include: If you have an alarm, dog, or a surveillance service then keep it discreet and leave the alarm or warning sign away. Professional thieves don't care about them and you take away the element of surprise (unless it's the bad for you kind of "Hey, surprise, we have a fake sign and no dog or alarm!" as they proceed to break in). Signs only inform a
Thu, 7 Aug 08
One Spammer Jailed, Another Walks
http://voices.washingtonpost.com/securityfix/2008/07/one_spammer_jailed_ano
ther_wal.html?nav=rss_blog
Spam king Robert Soloway was sentenced this week to 47 months in prison for sending more than 90 million junk e-mail messages over a three month period. Meanwhile, federal authorities are searching for a spammer who walked away from a prison camp on Sunday. Soloway pleaded guilty in March to mail fraud, and tax evasion. A federal judge still must decide how much restitution he will pay. In other news, Edward "Eddie" Davidson, a 35-year-old stock spammer who was sentenced in April to 21 months in prison, escaped from a prison camp in Florence, Colo., this week. According to this Associated Press story, Davidson was last seen roughly 90 miles north of the camp in the Denver suburb of Lakewood. Update, 11:18 p.m ET: The Denver Post is reporting that in a tragic turn of events, Davidson today shot and killed his wife and three-year-old daughter before turning the gun
Thu, 7 Aug 08
Firefox 3 Follows IE7's Security Settings
http://voices.washingtonpost.com/securityfix/2008/07/firefox_3_follows_ie7s
_securit_1.html?nav=rss_blog
Firefox 3 users, who also have jacked up the security settings on Microsoft's Internet Explorer 7 to their most paranoid level, may find it trickier to download files with Firefox due to key changes recently made by Mozilla. In a Security Fix Live chat last Friday, a reader complained he or she couldn't download any file in Firefox unless she reduced the security settings in IE7. "I usually leave IE at high settings since I don't routinely use it....I tried reducing all the security settings in Firefox to make sure it wasn't the cause. And the problem exists without using noscript. Only reducing settings in IE allows downloads." An alert reader called me on my advice to this questioner, directing my attention to a heated discussion thread on the subject at DSL Reports that I had actually read a few weeks prior (doh!). Here's what's happening, according to Mozilla: "Starting
Wed, 6 Aug 08
Microsoft to Open Kimono on Security Patches
http://blog.washingtonpost.com/securityfix/2008/08/microsoft_to_open_kimono
_on_se.html?nav=rss_blog
In a bid to help the security industry stay a step ahead of cyber crooks, Microsoft will release additional details behind the vulnerabilities it patches each month to anti-virus companies and other large vendors of Windows security software. While Microsoft already provides a brief fact sheet of which components of Windows will be fixed prior to its regular patch releases on the second Tuesday of each month, known as "Patch Tuesday," security vendors say additional details will help them more swiftly update their software to detect the latest attacks. In particular, software companies rarely have enough time to develop attack "signatures," snippets of code or Internet traffic, that when found on a network or PC could indicate an attacker is trying to leverage the flaws. Under a new program starting with October's Patch Tuesday cycle, Microsoft will begin releasing technical details that should allow security vendors to very quickly develop
Sun, 3 Aug 08
Black Hat Talk on Apple Encryption Flaw Pulled
http://blog.washingtonpost.com/securityfix/2008/07/black_hat_talk_on_apple_
encryp_1.html?nav=rss_blog
A security researcher who was set to speak at the Black Hat hacker convention in Las Vegas next week on a previously undiscovered flaw in Apple's FileVault encryption system has canceled his talk, citing confidentiality agreements with the Cupertino computer maker. Charles Edge, a researcher from Georgia, had been slated to discuss his research on a weakness that could be used to defeat FileVault encryption on the Mac. But sometime last week, Black Hat organizers pulled his name and presentation listing from its schedule of talks. Contacted via cell phone, Edge said he signed confidentiality agreements with Apple, which prevents him from speaking on the topic and from discussing the matter further. Almost every year, much of the drama leading up to and during Black Hat seems to revolve around talks that are canceled or censored at the last minute for various legal reasons. At Black Hat 2007, well-known reverse
Fri, 1 Aug 08
Apple Patches DNS Flaw and 16 Other Holes
http://blog.washingtonpost.com/securityfix/2008/08/apple_patches_dns_flaw_a
nd_16.html?nav=rss_blog
Apple released updates to fix at least 17 different security holes in its OS X operating system and other software late Thursday, including a patch for the domain name system (DNS) vulnerability that many other affected vendors addressed nearly three weeks ago. Security Update 2008-005 patches a serious flaw in the DNS that could allow hackers to hijack users' Internet connections or silently redirect them to counterfeit Web sites. Cisco, Microsoft, Sun Microsystems and a host of Linux projects pushed out a coordinated fix for the flaw on July 8, when it was first disclosed, and Apple immediately took heat for not releasing its patch then as well. My guess is that Apple planned all along to release its patch this week or early next. Dan Kaminsky, the researcher who discovered the DNS flaw and helped coordinate the release of the patches to fix it, tried to withhold details about
Fri, 1 Aug 08
Black Hat Talk on Apple Encryption Flaw Pulled
http://blog.washingtonpost.com/securityfix/2008/07/black_hat_talk_on_apple_
encryp.html?nav=rss_blog
A security researcher who was set to speak at the Black Hat hacker convention in Las Vegas next week on a previously undiscovered flaw in Apple's FileVault encryption system has canceled his talk, citing confidentiality agreements with the Cupertino computer maker. Charles Edge, a researcher from Georgia, had been slated to discuss his research on a weakness that could be used to defeat FileVault encryption on the Mac. But sometime last week, Black Hat organizers pulled his name and presentation listing from its schedule of talks. Contacted via cell phone, Edge said he signed confidentiality agreements with Apple, which prevents him from speaking on the topic and from discussing the matter further. Almost every year, much of the drama leading up to and during Black Hat seems to revolve around talks that are canceled or censored at the last minute for various legal reasons. At Black Hat 2007, well-known reverse
Fri, 1 Aug 08
Senate Approves Bill to Fight Cyber-Crime
http://blog.washingtonpost.com/securityfix/2008/07/senate_approves_bill_to_
fight.html?nav=rss_blog
The Senate on Wednesday passed legislation to modernize the nation's computer crime laws and give prosecutors more leeway in pursuing cyber crooks. Under current federal cyber-crime laws prosecutors must show that the illegal activity caused at least $5,000 in damages before they can bring charges for unauthorized access to a computer. Under the bill approved today, that threshold would be eliminated. Instead, the legislation would make it a felony to install spyware or keystroke-monitoring programs on 10 or more computers regardless of the amount of damage caused. This change is important because most of today's cyber criminals break into thousands of computers at a time, but seldom inflict $5,000 worth of damages on any one individual. Moreover, while most commit their crimes by tunneling their connections through hacked computers, the crooks may never damage the PCs they are using as a proxy or try to steal personal and financial data
Fri, 1 Aug 08
Fun with Spam Subject Lines
http://blog.washingtonpost.com/securityfix/2008/07/fun_with_spam_subject_li
nes.html?nav=rss_blog
I've been checking my spam filter, just for the fun of it, as the spammmers are writing more timely and entertaining subject lines as an enticement to get people to open their missives. Take the following spam headlines, for example, that appeared in the last 48 hours. All capitalize on public attention to current events, such as the U.S. presidential election, or the 2008 Olympics. Hillary Clinton Sues Barack Obama Obama Is Anorexic Over-Exerciser President Bush Legalizes Gay Marriages U.S. Olympians Stopped at China Customs Terrorist Threats on Beijing Olympics Discovered Spammers and scam artists are notoriously lazy, and spelling and grammatical errors have long been a telltale sign of a scam Web site or e-mail come-ons. But what's particularly remarkable about these subject lines is that they are all grammatically correct. Take this subject line, which purports to bring news about the untimely demise of the CEO of Apple