Security Fix
Main
Security
MalwareMSNBC Security
Security Fix
Security World News
Random Feeds
Archives
| Nov 2008 | Oct 2008 | Sep 2008 | Aug 2008 | Jul 2008 | Jun 2008 | May 2008 | Apr 2008 | Mar 2008 |Fri, 31 Oct 08
GAO: Localities Expose Social Security Numbers Online
http://voices.washingtonpost.com/securityfix/2008/10/gao_states_sale_exposu
re_of_ss.html?nav=rss_blog
Many county governments across the U.S. are providing citizen's full or partial Social Security Numbers available online or in bulk to prviate companies, according to a Government Accountability Office report released last week. At a time when states are seeking additional laws to punish businesses that inadvertently leak their citizens' personal and financial data, the GAO's findings would appear to highlight an overlooked area of consumer protection, as states weigh trade-offs between open-records laws, privacy, and the potential income that the sale of consumer records can generate. Roughly 85 percent of counties nationwide make the records available, and only 16 percent of counties place any restrictions on the types of entities that can obtain those records. As the GAO notes, public records -- such as birth, marriage and death certificates, civil and criminal court case files, and property liens -- that used to be accessible only in the county recorder's
Thu, 30 Oct 08
ICANN De-Accredits EstDomains for CEO's Fraud Convictions
http://voices.washingtonpost.com/securityfix/2008/10/icann_de-accredits_est
domains.html?nav=rss_blog
The entity responsible for overseeing the Internet's domain name system said Tuesday that it was revoking the right of registrar EstDomains.com to process new domain names, citing the company CEO's recent conviction on cyber crime charges. The move by the Internet Corporation for Assigned Names and Numbers (ICANN), comes less than two months after Security Fix published a report translated from Estonian into English showing that EstDomains CEO Vladimir Tsastsin (pictured at right) was convicted in February of credit card fraud, document forgery and other cyber crime charges -- and that EstDomains was a haven for cyber criminals who wanted to register Web sites that supported a range of criminal activity. Apparently, a section of the legal contracts that all registrars must sign with ICANN states: "Thou Shalt Not Have a Cyber Crook As Your CEO." Okay, it doesn't quite say it like that. Here's what ICANN did say, in
Tue, 28 Oct 08
Java Update Promises to Remove Older Versions
http://voices.washingtonpost.com/securityfix/2008/10/java_update_promises_t
o_remove.html?nav=rss_blog
Sun Microsystems has released another version of its Java software client. The update, JRE6 Update 10, contains no new security fixes to the most recent version, JRE6 Update 7, but it does appear to fulfill a promise the company made long ago to stop littering users' PCs with outdated, insecure versions of the software. Readers of this blog know I am no fan of Java. It's a huge, extremely powerful program that frequently needs updating to protect users from evil sites that might wish to leverage the program's interactivity and power to do bad things. Another reason I've railed against Java is that Sun's updates don't remove old versions. As a result, if you've been keeping up with the Java security updates, chances are you have at least three or four previous versions of Java on your system -- each taking up more than 100MB worth of disk space. While
Sat, 25 Oct 08
Data-Stealing Trojan Exploiting Just-Patched Windows Flaw
http://voices.washingtonpost.com/securityfix/2008/10/data-stealing_trojan_e
xploitin.html?nav=rss_blog
Microsoft Windows users who have not yet applied the security update that Redmond released yesterday should take a minute to do that now: Security experts are warning that at least one Trojan horse program with apparent spreading capabilities is in circulation, and that we are likely to see additional malware exploiting the flaw in the coming days. The ThreatExpert Blog has the skinny on Gimmiv.A, a Trojan that appears to have worm-like ability to spread to other systems on a network. This is likely to be more of a threat for large, enterprise networks than for individual home users. On an unpatched corporate network, all it would take is for an employee to plug an infected laptop into the network, and without firewalls enabled on each machine inside of the network or some type of host-based intrusion detection software running, that network could be in real trouble very quickly. Oddly
Fri, 24 Oct 08
Microsoft to Issue Emergency Security Update Today
http://voices.washingtonpost.com/securityfix/2008/10/microsoft_to_issue_eme
rgency_s_1.html?nav=rss_blog
Microsoft said late Wednesday that it plans to break out of its monthly patch cycle to issue a security update today for a critical vulnerability in all supported versions of Windows. Redmond rarely releases security patches outside of Patch Tuesday, the second Tuesday of each month. The software giant isn't providing many details yet, but the few times it has departed from its Patch Tuesday cycle it has always done so to stop the bleeding on a serious security hole that criminals were using to break into Windows PCs on a large scale. By Security Fix's count, this would be the fourth time since January 2006 that Microsoft has deviated from its monthly patch cycle to plug security holes. As shown by the stories in the linked examples above, Microsoft has fixed problems, each time, that were being actively exploited by bad guys to break into PCs. Microsoft's advanced notification
Thu, 23 Oct 08
A Primer on Web Browser Privacy Tools
http://voices.washingtonpost.com/securityfix/2008/10/a_primer_on_web_browse
r_privac.html?nav=rss_blog
The biggest contenders in the Web browser wars have been tripping over themselves to offer new privacy protections for users, and that's largely a good thing. But making sense of these features is a bit like trying to compare mobile phone plans from various phone companies: Unless you have the features compared side-by-side, making that comparison can be a tall order. Happily, the Center for Democracy & Technology, a nonprofit consumer advocacy group in Washington, has published a clear and concise guide to help consumers understand and take advantage of these new privacy features. The white paper examines the privacy features now built into four Web browsers - Firefox 3, Internet Explorer 8 Beta 2, Google Chrome, and Safari 3. The paper also looks at privacy add-ons, including Stealther for a Firefox privacy mode, CookieSafe for cookie controls in Firefox, AdBlock Plus (must-have, in my option) for object controls in
Thu, 23 Oct 08
FBI, FTC Take Down Scammers & Spammers
http://voices.washingtonpost.com/securityfix/2008/10/fbi_ftc_take_down_scam
mers_spa.html?nav=rss_blog
I was traveling to speak at a couple of conferences most of the past week, so I missed out on covering some of the bigger cyber-security justice developments to come in a long while: The FBI announced it has busted up an online bazaar for cyber thieves, working with international authorities to nab at least 56 people suspected of buying and selling stolen personal and financial data. In other news, the Federal Trade Commission convinced a judge to freeze the assets of what's being called the world's largest spam gang. The FBI said the arrests came after investigators infiltrated DarkMarket.ws, a Web forum for cyber crooks that once boasted more than 2,500 members who were interested in buying and selling credit card data, stolen user names and passwords. "What they didn't know was that one of the site's administrators and most respected members, who called himself Master Splyntr, was one
Tue, 21 Oct 08
Adobe Flash Patch Addresses 'ClickJacking' Flaw
http://voices.washingtonpost.com/securityfix/2008/10/adobe_flash_patch_addr
esses_cl.html?nav=rss_blog
Adobe last week issued a critical update for its Flash multimedia player, including a fix for a dangerous class of vulnerabilities that gives an attacker the ability to trick a user into clicking on something only barely or momentarily noticeable. The Flash patch addresses at least five security vulnerabilities, including two flaws that allow what's being called "clickjacking," a vulnerability present in Flash as well as multiple Web browsers that could allow an attacker to lure a user into unknowingly clicking on a link or dialog box, even if that link or box were located on another Web page. Clickjacking uses a technology known as "iFrames," to invisibly load content from a separate Web page within the context of the page the user is viewing. Using a specially-crafted iFrame, a malicious site could load an invisible image that contains a URL from another page and overlay it transparently on top
Sat, 18 Oct 08
Atrivo Shutdown Hastened Demise of Storm Worm
http://voices.washingtonpost.com/securityfix/2008/10/atrivo_shutdown_hasten
ed_demis.html?nav=rss_blog
The infamous Storm worm, which powered a network of thousands of compromised PCs once responsible for sending more than 20 percent of all spam, appears to have died off. Security experts say Storm's death knell was sounded by the recent shutdown of Atrivo, a California based ISP that was home to a number of criminal cyber crime operations, including at least three of the master servers used to control the Storm network. The Storm network consisted of a complex hierarchy of servers designed to balance the load of sending spam and and to hide the location of the master servers that the Storm worm authors used to operate the network. Three out of four of those control servers were located at Atrivo, a.k.a. Intercage, said Joe Stewart, a senior security researcher with Atlanta based SecureWorks who helped unlock the secrets of the complex Storm network. The fourth server, he said,
Fri, 17 Oct 08
Report: Russian Hacker Forums Fueled Georgia Cyber Attacks
http://voices.washingtonpost.com/securityfix/2008/10/report_russian_hacker_
forums_f.html?nav=rss_blog
An exhaustive inquiry into August's cyber attacks on the former Soviet bloc nation of Georgia finds no smoking gun in the hands of the Russian government. But experts say evidence suggests that Russian officials did little to discourage the online assault, which was coordinated through a Russian online forum that appeared to have been prepped with target lists and details about Georgian Web site vulnerabilities well before the two countries engaged in a brief but deadly ground, sea and air war. The findings come from an open source investigation launched by Project Grey Goose, a volunteer effort by more than 100 security experts from tech giants like Microsoft and Oracle, as well as former members of the Defense Intelligence Agency, Lexis-Nexis, the Department of Homeland Security and defense contractor SAIC, among others. The group began its inquiry shortly after the cyber war disabled a large number of Georgia government Web
Wed, 15 Oct 08
Microsoft's Patch Tuesday Includes New Rating Index
http://voices.washingtonpost.com/securityfix/2008/10/microsofts_patch_tuesd
ay_inclu.html?nav=rss_blog
Microsoft today released 11 software updates to fix at least 20 security flaws in its Windows operating systems and other software. Windows users can grab the latest updates from Microsoft Update or by turning on Automatic Updates. This month's bundle of updates includes at least five fixes for security holes in Microsoft's Internet Explorer Web browser, as well as patches for at least four separate flaws in Microsoft Office, three affecting Microsoft Excel exclusively. The IE flaws impact both IE6 and IE7, but are more of a threat for users running IE on Windows 2000 or Windows XP systems. All told, nine of the vulnerabilities fixed this month earned "critical" ratings from Microsoft, meaning the software giant believes that criminals could leverage them to break into exposed systems with little or no help from the victim. October also is the first month Microsoft has detailed how each flaw fares on
Tue, 14 Oct 08
Security Software Suites No Match for Custom Attacks
http://voices.washingtonpost.com/securityfix/2008/10/security_software_suit
es_vs_cu.html?nav=rss_blog
The all-in-one security software suites from the major anti-virus vendors fail spectacularly at detecting custom-made malware that exploits the latest software vulnerabilities, according to testing done by security analysis firm Secunia. Secunia tested how well nearly a dozen security suites fared against malicious files and direct attacks that leveraged more than 150 known software flaws. All of the vulnerabilities used in the test are publicly documented -- details of them can be found in the Common Vulnerabilities and Exposures (CVE) database -- and most of the vulnerabilities can be fixed by applying a software update currently available from the program's maker. Secunia says that out of the 300 test cases, 126 are particularly important because they affect very popular products and have either been discovered as zero-day threats or Secunia has developed working exploits. Secunia CTO Thomas Kristensen said all of the vulnerabilities used in the test merit a moderate
Tue, 14 Oct 08
Microsoft Stock Price Routinely Dinged by Security Patches
http://voices.washingtonpost.com/securityfix/2008/10/microsoft_stock_price_
routinel.html?nav=rss_blog
Microsoft's stock price suffers more than usual on days that it ships software updates to plug security holes, new research suggests. With few exceptions, Redmond issues security updates on the second Tuesday of each month. Microsoft implemented what's known as "Patch Tuesday" several years ago in order to give companies more time to plan for testing and rolling out the updates. It also began disclosing each Thursday prior how many security problems customers could expect to have to deal with on Patch Tuesday. Microsoft did all this in the name of increasing the predictability of its patching process. But according to researchers at McAfee Avert Labs, the other predictable part of Patch Tuesday and Advance Notification Thursday is that Microsoft's stock price almost always sinks on those days relative to other trading days. On average, Patch Tuesday saw Microsoft's stock price fall -0.11 percent in 2006, -0.29 percent last year,
Sat, 11 Oct 08
Phishers, Virus Writers Exploit Global Financial Crisis
http://voices.washingtonpost.com/securityfix/2008/10/phishers_virus_writers
_exploit.html?nav=rss_blog
Security experts and the federal government are warning that scam artists are leveraging public concern over the global financial crisis to steal sensitive financial data and spread malicious software. In an alert posted Thursday, the Federal Trade Commission urged Internet users to be on guard against e-mails that look as if they come from a financial institution that recently acquired a consumer's bank, savings and loan, or mortgage. "In fact, these messages may be from 'phishers' looking to use personal information -- account numbers, passwords, Social Security numbers -- to run up bills or commit other crimes in a consumer's name," the FTC said. Security firm Arbor Networks details two recent malware attacks that try to trick recipients into opening an e-mail attachment. One e-mail, claiming to have been sent by the Federal Deposit Insurance Corp., warns recipients that their bank accounts were involved in fraudulent activity. The attached file,
Sat, 11 Oct 08
Apple, Opera Ship Security Updates
http://voices.washingtonpost.com/securityfix/2008/10/apple_opera_ship_secur
ity_upda.html?nav=rss_blog
Apple on Thursday released software updates to fix a slew of security issues in computers powered by its OS X operating system. Separately, a new version of the Opera Web browser is available that addresses a pair of serious security flaws. Apple's seventh big bundle of updates so far this year plugs more than 40 security holes in the operating system and other software for Mac OS X 10.4 and 10.5 desktops and server versions. Among the applications tweaked in this update are Apache, Finder, and ClamAV, the anti-virus software that ships with OS X server products. The updates are available via the built-in Software Update feature, or directly from Apple's software downloads Web site. For whatever reason, Opera still does not offer an auto-update feature. Opera users can grab the newest iteration of the browser, version 9.6, from Opera's Web site. In addition to the two security patches, the
Fri, 10 Oct 08
Spam Volumes Plummet After Atrivo Shutdown
http://voices.washingtonpost.com/securityfix/2008/10/spam_volumes_plummet_a
fter_atr.html?nav=rss_blog
Security Fix has spilled quite a bit of digital ink chronicling the demise of Atrivo (a.k.a. "Intercage"), a now-defunct Northern Calif. based Internet service provider that served as home base for a large number of cyber criminal operations. Happily, data released this week about a short-lived but precipitous decline in the level of badness online after Atrivo was shut down illustrates just how bad Atrivo was. Internet security firm MessageLabs said it observed a significant drop in the level of spam and botnet activity (PDF) after Atrivo's upstream Internet providers pulled the plug on the company last month. The graphic to the right shows a collapse in the level of spam emanating from computers infected with the some of the nastiest spam-enabling malware, including the Storm worm, Cutwail, Srizbi and MegaD. MessageLabs said the decline was due to the fact that a large number of command and control networks used
Thu, 9 Oct 08
Spear Phishing Scam Targets LinkedIn Users
http://voices.washingtonpost.com/securityfix/2008/10/spear_phishing_attacks
_against.html?nav=rss_blog
About 10,000 users of LinkedIn.com, the social networking site for professionals, recently were targeted by a tailor-made scam that urged recipients to open a malicious file masquerading as a list of business contacts. Most e-mail-based malware attacks and phishing campaigns designed to trick people into handing over personal and financial data generally are blasted out indiscriminately. But so-called "spear phishing" attacks - such as the bogus LinkedIn campaign -- address recipients by name in the subject line and body of the message to appear more legitimate. The messages in this campaign were of course spoofed to look like they were sent from support@linkedin.com, with the subject line "Re: business contacts." The message read: [recipient's name] We managed to export the list of business contacts you have asked for. The name, address, phone# , e-mail address and website are included. The list is attached to this message. After you you check
Thu, 9 Oct 08
Son of Tenn. Lawmaker Indicted in Palin E-Mail Hack
http://voices.washingtonpost.com/securityfix/2008/10/son_of_tenn_lawmaker_i
ndicted.html?nav=rss_blog
The son of a prominent Democratic Tennessee state lawmaker was indicted Tuesday on charges of hacking into the Yahoo! Web mail account of Alaska Gov. Sarah Palin. David C. Kernell, 20, of Knoxville, was indicted by a federal grand jury on a single count of accessing Palin's e-mail without permission. The FBI said Kernell turned himself in to federal authorities and will be arraigned today. Kernell is the son of Tennessee State Representative Mike Kernell, who acknowledged shortly after the incident that authorities had contacted his son in connection with the investigation. According to the indictment, on Sept. 16, Kernell broke into Palin's Yahoo! account by guessing the answers to her pre-selected "Secret Questions" that must be answered before Yahoo! will let users reset e-mail account passwords. Authorities say Kernell read Palin's e-mail messages and then made and posted online screenshots of the e-mail inbox, along with the new password
Wed, 8 Oct 08
Spammers Favor Obama Over McCain 7 to 1
http://voices.washingtonpost.com/securityfix/2008/10/spammers_favor_obama_o
ver_mcca.html?nav=rss_blog
While political polls may show Sens. Barack Obama and John McCain locked in a close race for the White House, junk e-mail purveyors have a clear favorite. According to research by Secure Computing, spammers are seven times as likely to invoke Obama's name in a subject line in a bid to trick people into opening the missives. The company found that spam touting either candidate peaked around the middle of the Republican National Convention. Still, for the month of September, political-themed junk e-mail favored Obama 84 percent of the time, while spam campaigns mentioning McCain made up just 12 percent of the total, Secure Computing said. The vice presidential race, on the other hand, appears to be far more competitive - at least from the spammer's perspective. Secure Computing found that about 1.9 percent of fake political spam last month named Alaska Gov. Sarah Palin in the headline, while
Mon, 6 Oct 08
Report: Data Breaches Expose About 30M Records in '08
http://voices.washingtonpost.com/securityfix/2008/10/516_data_breaches_in_2
008_expo.html?nav=rss_blog
U.S. corporations, governments and universities reported a record 516 consumer data breaches in the first nine months of this year, incidents prompted chiefly by hackers and employee theft, according to a report released today by a nonprofit group that works to prevent fraud. The Identity Theft Resource Center, of San Diego, found that this year's data breach tally has easily eclipsed 2007's 446 incidents. At an average of 57 caches of consumer data reported lost or stolen each month, U.S. organizations are on track to divulge at least 680 breaches by the end of 2008. About 80 percent of the breaches involved digital records, while the remainder stemmed from the loss, theft or exposure of paper-based records. A description of each incident is available in the Identity Theft Resource Center 's 2008 Breach List (PDF). Some 30 million records on consumers have been exposed so far this year. But experts
Sat, 4 Oct 08
New State Laws Target Data Encryption, RFID Tracking
http://voices.washingtonpost.com/securityfix/2008/10/new_state_laws_target_
data_enc.html?nav=rss_blog
The states have been busy of late enacting laws that address a broad spectrum of security protections, from outlawing radio frequency identification (RFID) tag tracking to requiring organizations to encrypt sensitive data whether it is stored on a computer or sent over the Internet. California Gov. Arnold Schwarzenegger this week approved a bill that would make it illegal to secretly scan the data encoded on unsecured RFID chips for the purposes of tracking, identity theft or counterfeiting the devices. RFID tags are tiny chips that are now commonly embedded into many retail products, student IDs, drivers' licenses, passports and medical ID cards. Most RFID tags are "passive," in that they have no internal power supply and are designed to be read from a few inches away, but researchers have shown that even passive tags can be read from more than 30 feet with special equipment. However, for the second year
Fri, 3 Oct 08
House.gov Still Plagued by E-mail Deluge
http://voices.washingtonpost.com/securityfix/2008/10/housegov_still_plagued
_by_e-ma.html?nav=rss_blog
A glut of e-mail from constituents and special interest groups continued to pose problems for the Web sites for members of the U.S. House of Representatives on Thursday, as millions of Americans attempt to voice their opinions on the financial bailout package the day before an expected vote on the measure. Jeff Ventura, a spokesperson for the House's chief administrative officer, called the volume of e-mail flowing through member Web sites "staggering and unprecedented." He said more than two-dozen interest groups sending large batches of e-mail have contributed to the problem. "Advocacy groups are collecting e-mails and then shoving them into a system that was really designed for manual input, not for people to send us wholesale batches of thousands of e-mails at a time," Ventura said. Still, he said, e-mails from individual users still far outnumber those submitted in bulk. The timing of the Wall Street rescue package also
Fri, 3 Oct 08
October is Cyber Security (Un)Awareness Month
http://voices.washingtonpost.com/securityfix/2008/10/october_is_cyber_secur
ity_unaw.html?nav=rss_blog
October is Cyber Security Awareness Month, and it seems many people are in need of some serious awareness-raising on this front. A recent survey indicates that while more than 80 percent of computer users thought they had firewall software installed, follow-up inspections found that only half of those users actually had the software installed or running on their PCs. The data comes from a poll of 3,000 Americans conducted by Zogby International, with security vendor Symantec conducting follow-up manual computer scans on computers belonging to 400 of those surveyed. While the study suggests that Americans seem to be well aware of whether they have up-to-date anti-spyware and anti-virus software installed, only 52 percent had anti-spam filters set up, even though 75 percent thought they did, Symantec found. Fifty-one percent of those surveyed said they had been targeted by a phishing attack, a scam that uses spoofed e-mail to lure recipients
Thu, 2 Oct 08
New Federal Law Targets ID Theft, Cybercrime
http://voices.washingtonpost.com/securityfix/2008/10/new_federal_law_target
s_id_the.html?nav=rss_blog
President Bush last week signed into law a bill that seeks to make it easier for prosecutors to go after cybercrooks, while ensuring that identity theft victims are compensated for their time and trouble when convicted identity thieves are forced to cough up ill-gotten gains. The Identity Theft Enforcement and Restitution Act of 2008 lowers the bar prosecutors need to clear before bringing hacking and other cybercrime charges against an individual. Under current federal cybercrime laws, prosecutors must show that the illegal activity caused at least $5,000 in damages before they can bring charges for unauthorized access to a computer. The new law eliminates that requirement. The law makes it a felony, during any one-year period, to damage 10 or more protected computers used by or for the federal government or a financial institution, and directs the U.S. Sentencing Commission to review its guidelines and consider increasing the penalties for
Wed, 1 Oct 08
Software Lets Users Manipulate Passport Data
http://voices.washingtonpost.com/securityfix/2008/09/tool_lets_users_change
_their_p.html?nav=rss_blog
A security researcher has published a software tool that makes it easy to copy and modify identification data encoded onto the computer chips embedded in passports issued by the United States and dozens of other countries. Jeroen van Beek, a security researcher at the University of Amsterdam, discussed his work at the Black Hat security conference in Las Vegas last month, but only this week released the tool that allows anyone to manipulate data on the passport chips. The attack is targeted at electronic passports or "e-passports." According to the U.S. State Department, the United States stopped issuing passports without the chips in August 2007. Close to four dozen other countries also issue e-passports, which are designed around an open international standard. The information on the chips - name, date of birth, passport number, photo, etc. - is designed to be readable by a wireless interface known as radio frequency