Security Fix
Main
Security
Anti-MalwareMalware
MSNBC Security
Security Fix
Security World News
Random Feeds
Archives
| Jul 2011 | Jun 2011 | Dec 2009 | Nov 2009 | Oct 2009 | Sep 2009 | Aug 2009 | Jul 2009 | Jun 2009 | May 2009 | Apr 2009 | Mar 2009 | Feb 2009 | Jan 2009 | Dec 2008 | Nov 2008 | Oct 2008 | Sep 2008 | Aug 2008 | Jul 2008 | Jun 2008 | May 2008 | Apr 2008 | Mar 2008 |Wed, 31 Dec 08
One Weak Link to Rule Them All
http://feeds.voices.washingtonpost.com/click.phdo?i=1a7e1c296f17dad518e62685f9b9312a
It is said that any security system is only as strong as its weakest link. A team of researchers today proved that point yet again, showing the world how they could use known weaknesses in the encryption technology that protects online transactions to undermine the security around e-commerce. washingtonpost.com ran an in-depth story I wrote about their findings, along with a sidebar explaining the weakness in a bit more detail. Long story short: An international team of security experts (pictured at right) showed that they could undermine the system most of us rely on to secure our online transactions, so that even though the browser indicates your connection is encrypted (Web browser address starts with "https://") and vetted by a third party to be secure and authentic, it may in fact be controlled by an attacker offering up a counterfeit Web site designed to steal your information. Web users are
Sat, 27 Dec 08
Beware Holiday e-Greeting Cards, Digital Hitchhikers
http://feeds.voices.washingtonpost.com/click.phdo?i=a3a9da57c145c0cf2003ceeef2ab84f0
Cyber crooks are once again blasting out fake holiday e-greeting cards in a bid their special kind of cheer. Also, there are signs that computer viruses may again be piggybacking on digital photo frames and other data storage devices that make popular holiday gifts. E-greeting scams are hardly new, but they tend to increase around major holidays, probably because consumers are more receptive to opening them at these times and because more people are home in front of their computers. Most of these e-greeting scams try to foist malicious software by claiming the recipient needs to install some application in order to view the card, such as Adobe's Flash Player. Almost invariably, the downloaded program isn't a legitimate add-on, but malware. According to Symantec, some of the fake e-card domains being used in this scam include (please don't visit any of these sites): * [http://]itsfatherchristmas.com * [http://]bestchristmascard.com * [http://]whitewhitechristmas.com *
Wed, 24 Dec 08
PC Got a Virus? Consider Getting Help Offline
http://feeds.voices.washingtonpost.com/click.phdo?i=789042a6a7f0ed9aaf6af5ae1f82e009
If you suspect or know your PC is infected with a virus, it's probably wise to avoid purchasing anything using that computer until you're sure the machine is clean. That includes additional anti-virus or security products. Chances are the malicious software on your machine includes built-in ability to steal user names, passwords and other sensitive data from infected hosts. Recently, I've heard from several people who used their credit or debit cards at the first sign of infection, to renew or upgrade their anti-virus protection when their existing software didn't work or failed to update. Also, in a Live Web chat a few weeks ago, one reader described how he "stupidly" went online and bought an anti-virus product after realizing he'd infected his machine with a DNS hijacker Trojan. Consumers can be forgiven for such goofs: After all, they paid for security software, they expect (rightly or wrongly) to be
Tue, 23 Dec 08
Microsoft Plugs at Least 28 Security Holes
http://voices.washingtonpost.com/securityfix/2008/12/microsoft_plugs_at_least_28_se.html?wprss=securityfix
Microsoft has an early holiday present for Windows users: A batch of eight software updates that plug at least 28 security holes in the widely-used operating system and other Microsoft products. Six out of eight of the update bundles earned a "critical" rating, meaning Microsoft views these flaws as so serious that attackers could use them to break into vulnerable machines without any help from victims, save perhaps for convincing those users to visit a malicious or hacked Web site. A critical update for Internet Explorer fixes at least four flaws in the popular browser (both IE6 and IE7). Another patch bundle addresses five vulnerabilities that can be exploited through ActiveX controls, a feature specific mainly to IE. Microsoft also issued patches to fix a pair of flaws in the way Windows handles "Windows Metafile" or WMF image files, vulnerabilities that once again could be exploited when an unpatched Windows
Tue, 23 Dec 08
Report: Cybercrime is Winning the Battle Over Cyberlaw
http://voices.washingtonpost.com/securityfix/2008/12/report_cybercrime_is_winning_t.html?wprss=securityfix
Law enforcement agencies worldwide are losing the battle against cyber crime at a time when criminals are increasingly using the global economic downturn to make headway in recruiting more computers and computer users to further illegal online activities, a scathing new report from security vendor McAfee concludes. McAfee's annual "Virtual Criminology Report" (PDF) notes that the number of compromised PCs used for blasting out spam and facilitating a host of online scams has quadrupled in the last quarter of 2008 alone, creating armies of spam "zombies" capable of flooding the Internet with more than 100 billion spam messages daily. In an increasing number of cases, those missives are playing on public fears over the battered economy, pitching recipients on too-good-to-be-true job offers aimed to enlist them in cybercrime operations, McAfee said. "Cybercriminals are cashing in on the fact that the economic downturn is causing people worldwide to increasingly turn to
Tue, 23 Dec 08
A Scary Twist in Malware Evil-ution
http://voices.washingtonpost.com/securityfix/2008/12/a_scary_twist_in_malware_evil-.html?wprss=securityfix
Security experts are warning Internet users to be aware of a disturbing evolution in malicious software that can turn a single infected computer into a vehicle for stealing data from nearby systems, regardless of what operating system or security software those computers may be running. The evolution comes compliments of the DNSChanger family of malware, which usually comes disguised as a codec or browser plug-in that a user is told he or she needs to install in order to view Web-based videos. As its name suggests, the malware alters the domain name system (DNS) server settings on infected systems, effectively routing the victim's Web searches and other online activities through servers that the attackers control. DNSChanger can install on a Mac or Windows computer. The added feature in the latest version of DNSChanger is that it installs its own DHCP server on the victim's machine. DHCP stands for "dynamic host
Fri, 19 Dec 08
Hundreds of Stolen Data Dumps Found
http://feeds.voices.washingtonpost.com/click.phdo?i=9914ff30c685c53648965cd4adecd98c
A comprehensive new study that peers into huge troves of financial data stolen by cyber thieves confirms what experts have surmised from looking at much smaller, isolated caches of digital loot: That criminals can make hundreds, even thousands, of dollars a day selling data stolen with the help of widely available software toolkits. Recent reports by security firms Finjan, RSA, SecureWorks and Symantec have shown that stolen identities, bank accounts and credit card numbers are sold in bulk every day in shadowy online forums, often for pennies on the dollar. In its analysis, Symantec found in 2007 that the going rate for the keys to assuming someone else's identity was between $14 and $18 per victim. Those reports either presented conclusions based on examining a single cache of stolen data, or by observations based on watching transactions between cyber thieves. But a report released today by researchers at the University
Thu, 18 Dec 08
Firefox 2 Users Will Get No More Security Updates
http://feeds.voices.washingtonpost.com/click.phdo?i=b361127641f667bb31e0ac5c77ad6465
Security Fix has often praised Mozilla for equipping its Firefox Web browser with a no-hassle system for automatically applying security updates. But for those users still browsing the Interwebs with anything less than Firefox 3, it's time to take note: Mozilla shipped its final update to Firefox 2 on Tuesday, and plans no further updates for this version. Put simply: If you want to keep using Firefox safely, you're going to need to upgrade to Firefox 3. The latest version of the popular browser received mixed reviews on its release, but Mozilla appears to have done a good job ironing out the kinks since then. Most notably, Firefox 3 consumes far less system memory than older releases. That said, there is a non-trivial chance that Mozilla may in fact ship another update to Firefox 2. A bug report filed Wednesday with Mozilla indicates the browser maker overlooked a security flaw
Thu, 18 Dec 08
Microsoft Issues Emergency Patch to Curb Password-Stealing Hackers
http://feeds.voices.washingtonpost.com/click.phdo?i=e4985acdc4668cd0e30b0740acb1df2d
Microsoft today issued an emergency update to plug a critical security hole present in all versions of its Internet Explorer Web browser, a flaw that hackers have been leveraging to steal data from millions of Windows users. The patch, which Microsoft dubbed MS08-078, fixes a security vulnerability that Microsoft says already has been used to attack more than 2 million Windows users. As Security Fix and other members of the tech community have chronicled, attackers have been busy compromising thousands of Web sites by seeding them with code that installs password-stealing software on computer systems of Web site visitors who use Internet Explorer. Microsoft estimated Monday that one in every 500 Windows users had been exposed to sites that try to exploit the flaw. Additionally, it said the number of victims was increasing at a rate of 50 percent daily. Vulnerability management company nCircle said Microsoft's decision to issue the
Thu, 18 Dec 08
CheckFree.com Hijack May Have Affected 160,000 Users
http://feeds.voices.washingtonpost.com/click.phdo?i=eaee7ceff780368f461f6221d691d89f
Online bill pay giant CheckFree.com said the hijacking of its Web site this month affected an estimated 160,000 people, a disclosure that offers the most detailed account yet of the true size and scope of a brazen type of attack that experts say may become more common in 2009. In a filing with Wisconsin's Office of Privacy Protection, CheckFree said at least 160,000 people may have visited the site during the nine-hour period it was hijacked, which had redirected visitors to a site in Ukraine. An analysis of that Ukranian site indicated that it was trying to exploit known security flaws in Adobe Acrobat and Adobe Reader, in an attempt to install a variant of the the Gozi Trojan, which is among the most sophisticated password-stealing programs in use today. CheckFree controls between 70 to 80 percent of the U.S. online bill pay market. Among the 330 kinds of bills
Wed, 17 Dec 08
Google Ads Lead to Phony Apps
http://feeds.voices.washingtonpost.com/click.phdo?i=5eff1fcf57253ad9ea4a57ae7f8064f0
Web security firm Websense is warning that scam artists have hijacked Google's sponsored links to spread rogue anti-virus software. While this type of attack is not new, I was amazed to find how deeply Google's ad program appears to be infested with this crud. Websense's alert shows how following sponsored links generated by searches for popular software titles may not be such a hot idea. Their investigation of the sites served up at those links took them through what appears to be a long and convoluted effort to trick visitors into installing bogus security software. Websense discovered the scam after searching for WinRAR, a popular tool used for archiving files and folders. Interestingly, when I searched for WinRAR just a few minutes ago, I found two different sponsored links to sites that offered up a version of the program that came with a malicious keystroke-logging program attached, according to a
Wed, 17 Dec 08
Microsoft: Emergency Patch for IE Flaw Coming Wednesday
http://feeds.voices.washingtonpost.com/click.phdo?i=f43b8572f86b04c4970d36f300d23c1e
Microsoft is signaling that it plans to ship an emergency software update on Wednesday to fix a dangerous security hole in its Internet Explorer Web browser that thousands of compromised Web sites have been using to install malicious software. Microsoft says the critical flaw is present in all versions of IE, from IE5 all the way up through IE8 Beta 2. In an unusually frank blog post, the company estimated that about 0.2 percent of Windows users worldwide may have been exposed to Web sites containing exploits that try to attack this vulnerability. While one in every 500 IE users may not sound like a large number, Microsoft said the frequency of attacks is increasing dramatically. "That percentage may seem low, however it still means that a significant number of users have been affected. The trend for now is going upwards: we saw an increase of over 50 percent in
Wed, 17 Dec 08
Apple Patches 21 Security Flaws
http://feeds.voices.washingtonpost.com/click.phdo?i=b6e31fbb1ee3e26bea5fbaf5fd9fd1f7
Apple has released software updates to fix at least 21 security vulnerabilities in its Mac OS X operating system and other software for the Mac. The patches are available via Software Update or Apple Downloads. Seven of the updates included in this patch bundle fix flaws for the Mac version of Adobe's Flash player, flaws that Adobe patched last month in two separate releases. No matter what OS platform you use, it's important not only to keep Flash updated with the latest security protections, but also to only use Adobe's site to grab those updates (for everything but Solaris, Flash 10,0,12,36 is the latest version). Bogus Flash updates are probably the single biggest vector for distributing malicious software in use today. So, when in doubt, keep this link handy: It will show you whether you are indeed running the most up-to-date version of Flash.
Sat, 13 Dec 08
Microsoft: Big Security Hole in All IE Versions
http://feeds.voices.washingtonpost.com/click.phdo?i=4aef664ce437d0011d55a452457c24a7
On Wednesday, Security Fix warned readers about a newly-discovered security hole in Internet Explorer 7. I'm posting this again because Microsoft now says the flaw affects all supported versions of IE, and because security experts are warning that a large number of sites are being compromised in an effort to exploit this vulnerability and install malware on vulnerable systems. The SANS Internet Storm Center reports that hackers are breaking into legitimate Web sites and uploading code that could install data-stealing software on the machine of a user who visits the site using Internet Explorer. SANS's chief technology officer Johannes Ullrich estimates that thousands of sites have been seeded with this exploit to date. For example, Web security firm Websense reports that hackers have compromised the Chinese Web site for ABIT, the maker of motherboards that power many home computers. So far, the exploits appear to be only stealing online gaming
Sat, 13 Dec 08
Who's Tracking You?
http://feeds.voices.washingtonpost.com/click.phdo?i=afac6b05b71a7a87f97c96435d0850be
The cover story for the January 2009 issue of Popular Mechanics magazine is a piece I wrote about ways marketers, or even stalkers, can track people through technologies many of us use every day. Here's a snippet from that piece: "Free Web services aren't free," says Gregory Conti, a computer science professor at the United States Military Academy at West Point. "We pay for them with micropayments of personal information. Users aren't entirely oblivious to the fact that information is being collected, and they're doing a cost-benefit analysis, but they're not thinking long-term." Even those who take the time to read a Web site's privacy policy may not realize how many companies have access to their data. That's because most Web sites pull advertisements, snippets of code and other content from a number of third-party sources, any one of which may track the visitor and use the data in a
Sat, 13 Dec 08
Retail Fraud Rates Plummeted the Night McColo Went Offline
http://feeds.voices.washingtonpost.com/click.phdo?i=b0e6696b8437e67742299131b781e08f
One month after the shutdown of hosting provider McColo Corp., spam volumes are nearly back to the levels seen prior to the company's take down by its upstream Internet providers. But according to one noted fraud expert, spam wasn't the only thing that may have been routed through the Silicon Valley based host: New evidence found that retail fraud dropped significantly on the same day. It is unclear whether the decrease in retail fraud is related to the McColo situation, but in speaking with Ori Eisen, founder of 41st Parameter, he said close to a quarter of a million dollars worth of fraudulent charges that his customers battle every day came to a halt. Eisen, whose company provides anti-fraud consulting to a number of big retailers and banks, told me at least two of the largest retailers his company serves reported massive declines in fraud rates directly following McColo's termination.
Sat, 13 Dec 08
Court Freezes Assets of Alleged 'Scareware' Purveyors
http://feeds.voices.washingtonpost.com/click.phdo?i=26a2d0213b936f839b82059d091b3079
A federal court has frozen the assets of several businesses accused of conspiring to trick more than one million consumers into purchasing and installing "scareware," which uses fake security alerts to frighten consumers into paying for bogus computer security software. According to the complaint by the Federal Trade Commission, two companies -- Innovative Marketing, Inc. and ByteHosting Internet Services, LLC -- embedded extra computer code in online ads, which they placed on Web sites on behalf of legitimate companies. The code would then redirect viewers to other sites that warned of security and privacy threats on the visitor's computer. "These sites would then claim to scan the consumers' computers for security and privacy issues," the FTC said. "The 'scans' would find a host of purported problems with the consumers' computers and urge them to buy the defendants' computer security products for $39.95 or more. However, the scans were entirely false."
Thu, 11 Dec 08
Microsoft Investigating Reports of New IE7 Exploit
http://feeds.voices.washingtonpost.com/click.phdo?i=cf24155cdfebe2f4cd9f8dc02efd20f2
Microsoft said it is investigating reports that a new exploit is going around that takes advantage of an unpatched security hole in Internet Explorer 7. The SANS Internet Storm Center, which tracks hacking trends, said today that while the exploit does not appear to be widely in use at the moment, that situation is likely to change soon, since instructions showing criminals how to take advantage of this flaw have been posted online. SANS emphasizes that this vulnerability is not one that was fixed in the massive bundle of patches that Microsoft issued yesterday. It is not clear what steps users can take to protect themselves against this threat, other than to browse the Web with something other than IE, such as Mozilla Firefox or Opera. This appears to be the type of vulnerability that could be used to give attackers complete control over an affected system merely by convincing
Wed, 10 Dec 08
Microsoft Plugs at Least 28 Security Holes
http://voices.washingtonpost.com/securityfix/2008/12/microsoft_plugs_at_least_28_se.html?nav=rss_blog
Microsoft has an early holiday present for Windows users: A batch of eight software updates that plug at least 28 security holes in the widely-used operating system and other Microsoft products. Six out of eight of the update bundles earned a "critical" rating, meaning Microsoft views these flaws as so serious that attackers could use them to break into vulnerable machines without any help from victims, save perhaps for convincing those users to visit a malicious or hacked Web site. A critical update for Internet Explorer fixes at least four flaws in the popular browser (both IE6 and IE7). Another patch bundle addresses five vulnerabilities that can be exploited through ActiveX controls, a feature specific mainly to IE. Microsoft also issued patches to fix a pair of flaws in the way Windows handles "Windows Metafile" or WMF image files, vulnerabilities that once again could be exploited when an unpatched Windows
Wed, 10 Dec 08
Report: Cybercrime is Winning the Battle Over Cyberlaw
http://voices.washingtonpost.com/securityfix/2008/12/report_cybercrime_is_winning_t.html?nav=rss_blog
Law enforcement agencies worldwide are losing the battle against cyber crime at a time when criminals are increasingly using the global economic downturn to make headway in recruiting more computers and computer users to further illegal online activities, a scathing new report from security vendor McAfee concludes. McAfee's annual "Virtual Criminology Report" (PDF) notes that the number of compromised PCs used for blasting out spam and facilitating a host of online scams has quadrupled in the last quarter of 2008 alone, creating armies of spam "zombies" capable of flooding the Internet with more than 100 billion spam messages daily. In an increasing number of cases, those missives are playing on public fears over the battered economy, pitching recipients on too-good-to-be-true job offers aimed to enlist them in cybercrime operations, McAfee said. "Cybercriminals are cashing in on the fact that the economic downturn is causing people worldwide to increasingly turn to
Tue, 9 Dec 08
A Scary Twist in Malware Evil-ution
http://voices.washingtonpost.com/securityfix/2008/12/a_scary_twist_in_malware_evil-.html?nav=rss_blog
Security experts are warning Internet users to be aware of a disturbing evolution in malicious software that can turn a single infected computer into a vehicle for stealing data from any nearby systems, regardless of what operating system or security software those computers may be running. The evolution comes compliments of the DNSChanger family of malware, which usually comes disguised as a codec or browser plug-in that a user is told he or she needs to install in order to view Web-based videos. As its name suggests, the malware alters the domain name system (DNS) server settings on infected systems, effectively routing the victim's Web searches and other online activities through servers that the attackers control. DNSChanger can install on a Mac or Windows computer. The added feature in the latest version of DNSChanger is that it installs its own DHCP server on the victim's machine. DHCP stands for "dynamic
Sun, 7 Dec 08
Digging Deeper Into the CheckFree Attack
http://voices.washingtonpost.com/securityfix/2008/12/digging_deeper_into_the_checkf.html?nav=rss_blog
The hijacking of the nation's largest e-bill payment system this week offers a glimpse of an attack that experts say is likely to become more common in 2009. Atlanta based CheckFree acknowledged Wednesday that hackers had, for several hours, redirected visitors to its customer login page to a Web site in Ukraine that tried to install password-stealing software. While this attack garnered few headlines, there are clues that suggest it may have affected a large number of people. CheckFree claims that more than 24 million people use its services. Avivah Litan, a fraud analyst with Gartner Inc., said CheckFree controls between 70 to 80 percent of the U.S. online bill pay market. Among the 330 kinds of bills consumers can pay through CheckFree are military credit accounts, utility bills, insurance payments, mortgage and loan payments. A spokeswoman for Network Solutions, the Herndon, Va., domain registrar that CheckFree used to register
Thu, 4 Dec 08
Hackers Hijacked Large E-Bill Payment Site
http://voices.washingtonpost.com/securityfix/2008/12/hackers_hijacked_large_e-bill.html?nav=rss_blog
Hackers on Tuesday hijacked the Web site CheckFree.com, one of the largest online bill payment companies, redirecting an unknown number of visitors to a Web address that tried to install malicious software on visitors' computers, the company said today. The attack, first reported by The Register, a security news Web site, began in the early morning hours of Dec. 2, when Checkfree's home page and the customer login page were redirected to a server in the Ukraine. CheckFree spokeswoman Melanie Tolley said users who visited the sites during the attack would have been redirected to a blank page that tried to install malware. Tolley added that CheckFree regained control over its site by 5 a.m. on Dec. 2. The company said it was still having the malware analyzed by experts. "The degree of exposure to users is dependent on how current their anti-virus software is and what browser they used
Thu, 4 Dec 08
Court Rules Against Teacher in MySpace 'Drunken Pirate' Case
http://voices.washingtonpost.com/securityfix/2008/12/court_rules_against_teacher_in.html?nav=rss_blog
A student teacher who was denied a teaching degree just days before graduating has lost a court battle against her would-be alma mater. One of the contributing reasons for her dismissal was because of a photo she posted onto MySpace.com Just days before her graduation in May 2006, Millersville University in Pennsylvania, accused student Stacy Snyder of promoting underage drinking, after they discovered a photo on her MySpace page titled "Drunken Pirate," in which Snyder can be seen wearing a pirate hat and drinking from a plastic cup. (A photo can be seen on The Smoking Gun.) At the time, Snyder was 25 and working as a student-teacher at Conestoga Valley High School. Snyder maintained that the photo was taken at a costume party off campus and after school hours. But when the university refused to issue her a teaching degree, Snyder sued siting violation of her First Amendment rights.
Thu, 4 Dec 08
Would You Like an Update With Your Java?
http://voices.washingtonpost.com/securityfix/2008/12/security_update_for_java.html?nav=rss_blog
Sun Microsystems has released a security update to its Java software. Since cyber criminals have a history of targeting Java vulnerabilities, and because at least 800 million computer users have some version of Java installed, it's probably time for most readers to update this program. Sun's release notes are somewhat light on details, saying Sun Java 6.0 Update 11 contains fixes for one or more security vulnerabilities. Not sure whether you have Java or the latest version installed? Check out this link. Windows users can grab the latest version by opening the Windows Control Panel, clicking the Java icon, and then visiting the "Update" tab and clicking "Update Now." After you begin the update process, note that unless you want the Yaboo! toolbar also installed, you'll need to uncheck that option before proceeding with the rest of the install. Other OS users can find the update by following this link.
Tue, 2 Dec 08
Apple: Mac Users Should Get Antivirus Software
http://voices.washingtonpost.com/securityfix/2008/12/apple_mac_users_should_get_ant.html?nav=rss_blog
In a notable shift, Apple is now recommending that Mac users install anti-virus software to help users secure their systems. In a technical note quietly published to its support site on Nov. 21, Apple issued the following advice: "Apple encourages the widespread use of multiple anti-virus utilities so that virus programmers have more than one application to circumvent, thus making the whole virus writing process more difficult." This is news to me. Just under three months ago, I asked an employee at our local Apple store whether I needed anti-virus for my MacBook, and was told not to bother, that it was not necessary. I wonder if this means Apple will stop running television ads saying Mac users don't have to worry about malicious software? Security Fix hears from readers constantly wondering whether they should secure their Macs. I suspect this may be because more people are choosing to purchase