Security Fix
Main
Security
Anti-MalwareMalware
MSNBC Security
Security Fix
Security World News
Random Feeds
Archives
| Jul 2011 | Jun 2011 | Dec 2009 | Nov 2009 | Oct 2009 | Sep 2009 | Aug 2009 | Jul 2009 | Jun 2009 | May 2009 | Apr 2009 | Mar 2009 | Feb 2009 | Jan 2009 | Dec 2008 | Nov 2008 | Oct 2008 | Sep 2008 | Aug 2008 | Jul 2008 | Jun 2008 | May 2008 | Apr 2008 | Mar 2008 |Sat, 31 Oct 09
A makeover for federal cybersecurity reporting
http://feeds.voices.washingtonpost.com/click.phdo?i=a83bc73e76d13855f252e2ec44f73baf
The federal regulations telling agencies how to secure their computer networks are overdue for an overhaul: Even the author of the 2002 law now admits that it needs updating to reflect today's threats from hackers, viruses and cyber spies. Critics of the Federal Information Security Management Act (FISMA) long have complained that the way it has been implemented often amounts to a massive paperwork exercise. Yet somehow that criticism seems so much more valid when you actually see all of the resulting paperwork piled up one place. John Streufert, the chief information security officer at the U.S. Department of State, told a Senate Homeland Security and Governmental Affairs subcommittee Thursday that the department spent $133 million over the past six years on certification and accreditation (C&A) reports, a process whereby agencies evaluate every three years what defensive security protections are in place to secure federal systems. Streufert said that money
Fri, 30 Oct 09
DHS: PhoneSnoop app bugs BlackBerrys
http://feeds.voices.washingtonpost.com/click.phdo?i=d67bcdbdb3416ca9eabbf4f6dbdca0f2
The Department of Homeland Security's U.S. Computer Emergency Readiness Team (US-CERT) is warning BlackBerry users about a spyware program that allows attackers to turn a target's handset into a microphone that can be accessed remotely. PhoneSnoop is a free, remote spying application designed for BlackBerry phones. The app works by intercepting phone calls from a predetermined 'trigger' number. When PhoneSnoop detects an incoming call from that number, it accepts the call and turns on the BlackBerry's speaker phone, effectively allowing the caller to listen in on the target's surroundings. There are some very real limitations of this spying app: For starters, an attacker would need to have physical access to the victim's phone in order to install the app. PhoneSnoop also can't listen in on the victim's phone calls, and it leaves a conspicuous new program icon in the victim's app list. Still, the alert serves as a useful reminder
Thu, 29 Oct 09
Nastygram: Spoofed FDIC bank fail e-mail
http://feeds.voices.washingtonpost.com/click.phdo?i=d128a50b4965b4a1e96543dfdc365f48
Spam e-mails mimicking the Federal Deposit Insurance Corp. and warning of additional bank failures are instead the latest bid by cyber crooks to empty your bank account, security experts warn. The messages arrive with subjects such as "FDIC has officially named your bank a failed bank," and "Check your Bank Deposit Insurance Coverage." The missives warn: "You have received this message because you are a holder of a FDIC-insured bank account. Recently FDIC has officially named the bank you have opened your account with as a failed bank, thus, taking control of its assets." Recipients are instructed to click a link that opens one of dozens of Web sites with names crafted to look like fdic.gov. The links lead to a counterfeit FDIC page that offers a copy of "your personal FDIC insurance file" to see whether your coverage has been impacted. The files are offered as Adobe PDF
Wed, 28 Oct 09
Former Anti-Virus Researcher Turns Tables On Industry
http://feeds.voices.washingtonpost.com/click.phdo?i=7d1fa99fdead4b76fcb4d9c83398afe1
A security researcher shunned by the anti-virus community for violating its unwritten rules has attempted to turn the tables, erecting a Web service that virus writers could use to make their creations more stealthy and undetectable for longer periods of time. At issue is a new site called avtracker.info, which aims to keep tabs on the different automated analysis services used by the security industry, such as Virustotal, ThreatExpert, and Norman Sandbox. Researchers who unearth new malicious code samples often submit them to these services to learn more about how the malware behaves and to see whether the samples are currently detected by anti-virus products. The results of each scan are shared broadly within the security industry, allowing anti-virus makers that don't detect the malware to incorporate detection for them in future updates that are pushed out to customer PCs Enter AV Tracker. Armed with up-to-date information about these automated
Wed, 28 Oct 09
Barackobama.com 'hack' is a hoax
http://feeds.voices.washingtonpost.com/click.phdo?i=f0d3e637c1ae477ceede545d39ad2168
A hacker's claim that he compromised the successor to President Obama's campaign Web site appears to be a hoax, according to information that surfaced since the matter came to light early Monday. The kerfuffle started when a hacker and blogger with a history of posting evidence of security vulnerabilities in popular and high-traffic Web sites published evidence indicating that poor security at barackobama.com had exposed internal databases at the site. The hacker, identified only as "Unu," claimed that a security flaw in barackobama.com allows anyone to view the user names and passwords needed to administer the site. With that access, an attacker could view database information, upload content to the site - including malicious software - or simply deface the landing page with digital graffiti. Barackobama.com is now managed by the Democratic National Committee's Organizing for America. Hari Sevugan, national press secretary for the DNC, dismissed the claim, and said
Tue, 27 Oct 09
FBI: Cyber Crooks Stole $40M From U.S. Small, Mid-Sized Firms
http://feeds.voices.washingtonpost.com/click.phdo?i=b86f038263c31209c847db2ea5cd25c2
Cyber criminals have stolen at least $40 million from small to mid-sized companies across America in a sophisticated but increasingly common form of online banking fraud, the FBI said this week. According to the FBI and other fraud experts, the perpetrators have stuck to the same basic tactics in each attack. They steal the victim's online banking credentials with the help of malicious software distributed through spam. The intruders then initiate a series of unauthorized bank transfers out of the company's online account in sub-$10,000 chunks to avoid banks' anti-money-laundering reporting requirements. From there, the funds are sent to so-called "money mules," willing or unwitting individuals recruited over the Internet through work-at-home job scams. When the mules pull the cash out of their accounts, they are instructed to wire it (minus a small commission) via services such as MoneyGram and Western Union, typically to organized criminal groups operating in countries
Sat, 24 Oct 09
Nastygram: 'A New Settings File'
http://feeds.voices.washingtonpost.com/click.phdo?i=3f31578ba9945bab678aa75f3a85a573
Security Fix is debuting "Nastygram," a short, hopefully regular feature alerting readers about some of the latest, sneakier e-mail scams. Each report will include a graphic at the top like the one in this blog post, which explains what readers should do with these missives. One particularly insidious and persistent nastygram of late is a message that will look like it was sent by your company's internal IT folks, and carries the subject "A new settings file for the [insert address of someone on your employer's network]". To increase the appearance of legitimacy, the message includes your company's domain name throughout the message. The link embedded in the message is made to appear as though it will take you somewhere on your employer's domain. In the old days, you could tell where a link was leading just by hovering over it with your mouse. Nowadays, the bad guys make
Wed, 21 Oct 09
E-Banking on a Locked Down PC, Part II
http://feeds.voices.washingtonpost.com/click.phdo?i=94da62e4d5d7e129db3e59aa91307ac3
A pair of Security Fix blog posts last week urging businesses to consider using something other than Microsoft Windows when banking online elicited strong reactions from readers. Most said they thought it was a fresh perspective and sound advice, while others criticized me for going too far or for failing to recommend less drastic alternatives. Let me be clear: The advice was aimed not at consumers, but at small to mid-sized companies that may not have a full-time IT/security staff, and who rely on one or two people to handle their bank accounts and payroll online. That said, I wanted to respond to a couple of specific alternatives suggested by readers, because I felt they fell short of the level of security that these companies need to avoid becoming the next victim. For example, some readers emphasized the importance of ensuring that employees' Windows computers are running under a limited
Tue, 20 Oct 09
ChoicePoint Breach Exposed 13,750 Consumer Records
http://feeds.voices.washingtonpost.com/click.phdo?i=4a2d5fb6f0cc5c5448fb4ce555fd0ba6
ChoicePoint Inc., one of the nation's consumer data brokers, agreed to pay $275,000 to federal regulators as a result of a data breach last year that exposed Social Security numbers and other personal information on 13,750 people. The agreement comes in response to claims by the Federal Trade Commission that ChoicePoint violated the terms of a settlement reached following a separate data breach at the company in 2005 that led to hundreds of cases of identity theft. In 2006, ChoicePoint - now a subsidiary of Reed Elsevier Inc - paid $15 million to settle charges that it violated federal consumer protection laws when it allowed criminals to purchase sensitive financial and personal data on at least 163,000 Americans. The FTC had sued ChoicePoint, charging that the incident led to at least 800 confirmed identity theft crimes. ChoicePoint was supposed to take steps to protect consumer data. But the FTC alleged
Tue, 20 Oct 09
President Obama on Cyber Security Awareness
http://feeds.voices.washingtonpost.com/click.phdo?i=3617fccf25ec4d6e7fd22c4b298ee613
President Obama this week issued a short video address discussing the importance of cyber security awareness. The three-minute clip offers little in the way of startling revelation or news. But it is probably the most the president has had to say publicly about the topic since May, when he delivered a 16-minute speech saying he planned to create a new cyber security office at the White House that would be led by an as-yet-unappointed coordinator. In this latest remarks, Obama said he would soon appoint someone to that position, and offered thoughts about the need for a "public private partnership," to secure America's cyber infrastructure. The president closed with some basic tips that regular Internet users can observe to keep their corner of the Web safe and secure. Obama said he has designated October as Cyber Security Awareness Month. Indeed, he signed a proclamation on Oct. 1 declaring it to
Sun, 18 Oct 09
Mozilla Disables Microsoft's Insecure Firefox Add-on
http://feeds.voices.washingtonpost.com/click.phdo?i=5773b3ae598bd27411a6876cf07348c7
Mozilla is disabling a pair of components stealthily installed by Microsoft earlier this year for Windows users of the Firefox Web browser, warning that the software suffers from a serious security vulnerability. Firefox users may already have seen a pop-up notice about an unstable or insecure add-on being disabled. The message would look something like image below. There's a short backstory to this drama. In May, I wrote about a Windows patch for the Microsoft .NET package that silently installed the Microsoft .NET Framework Assistant add-on into Firefox. The package also included an associated plug-in for Firefox called the Windows Presentation Foundation plug-in. The Mozilla user community was up arms over not just the fact that Microsoft was introducing unwanted components that could potentially weaken the security of Firefox, but that Redmond had made the thing almost impossible to remove. Microsoft's initial response -- that the add-on could be removed
Fri, 16 Oct 09
PayChoice Suffers Another Data Breach
http://feeds.voices.washingtonpost.com/click.phdo?i=79214bf09508f65101974aefbb096eff
Payroll services provider PayChoice took its Web-based service offline for the second time in a month on Wednesday in response to yet another data breach caused by hackers. Moorestown, N.J. based PayChoice, provides direct payroll processing services and licenses its online employee payroll management product to at least 240 other payroll processing firms, serving 125,000 organizations. On Thursday morning, the company sent a notice to its customers saying it had once again closed onlineemployer.com - the portal for PayChoice's online payroll service -- this time after some clients began noticing bogus employees being added to their payroll. "After investigation, we determined that valid user credentials for an Online Employer user were used in an unauthorized manner to add these fictitious employees in an attempt to have payments made to fraudulent bank accounts," the company said in an e-mail alert to their clients sent Thursday. This week's attack appears to be
Fri, 16 Oct 09
Researcher: Hackers Hijack Some Facebook Apps
http://feeds.voices.washingtonpost.com/click.phdo?i=457b4337ff4e08329fd9c144e544f772
A number of games and other applications built to be used on Facebook.com have been hacked so that users are quietly sent to sites that try to install malicious programs, a security researcher has found. Roger Thompson, chief research officer for computer security firm AVG, discovered about a half-dozen Facebook games and app home pages had been compromised by attackers. While hacked Facebook profile pages are not uncommon -- thanks largely to threats like the Koobface worm -- Thompson said this was the first time he'd seen actual Facebook applications being hacked. According to Thompson, the hackers somehow slipped malicious "iframes" -- small, hidden chunks of computer code that invisibly load content from exploit sites -- into each of the Facebook.com Web pages where users would go to use the apps. The exploit sites in turn try to foist malicious software if the visitor is running outdated Adobe products, such
Thu, 15 Oct 09
Mozilla: Firefox Users, Check Your Plug-ins
http://feeds.voices.washingtonpost.com/click.phdo?i=c2bb5af4481e287dbe92ca8d976d1ed9
Mozilla is now offering Firefox users a simple way to tell whether the browser's various plug-ins are up-to-date with the latest security patches. Plug-ins are components installed by third-party software that power videos, animation and games in the browser, among other things. Outdated plug-ins can give malware an easy way into your computer, so it's important to make sure your browser has the latest, most secure versions. Even if you are normally vigilant about updating third-party software, occasionally a software update will fail to automatically patch its accompanying plug-in. Enter Mozilla's Plugin Check: Let it scan Firefox, and it will tell you which of the plug-ins you have installed needs patching. (A screen shot of the results of a scan done on my test machine is pictured above). Any outdated plug-ins for which Plugin Check can find an updated version will land at the top of the list, and when
Thu, 15 Oct 09
Trojan Turns Smash & Grab Into Grab & Smash
http://feeds.voices.washingtonpost.com/click.phdo?i=064d5f1e15a24aea91b898ce5d05a7da
Imagine being in charge of your organization's finances, and learning from your bank one morning that thieves had stolen tens of thousands of dollars from company coffers overnight using your online banking credentials. Now imagine your frustration when you go to log in to your PC to assess the damage, only to find that the computer you typically use to access the account has been kneecapped by the bad guys. This is precisely what happened to Kathy Dake, office manager for St. Isidore Catholic Church in Danville, Calif. Dake had infected her PC with the Zeus Trojan after opening a malicious e-mail disguised as notice from the IRS about "unreported income" (see New IRS Scam Could Be Costly). The thieves used Zeus to steal the credentials Dake uses to administer the church's bank account, and a week ago Friday she came in to work to find her computer would not
Wed, 14 Oct 09
Adobe Plugs 29 Critical Reader, Acrobat Holes
http://feeds.voices.washingtonpost.com/click.phdo?i=0bedac07f3905b7a0202446bae27633a
Adobe Systems Inc. on Tuesday issued a new version of both Adobe Acrobat and its free Adobe PDF Reader to fix at least 29 separate security vulnerabilities in these products. If you have either (or both) of these programs installed, take a moment to update them. Adobe warns that hackers already are exploiting at least one of the flaws to break into vulnerable systems. Users of Adobe Reader and Acrobat version 9.1.3 and earlier should update to version 9.2, available in the "solution" section at this link. Updates are available for Windows, Mac and Unix versions of the programs. Adobe has some special instructions for those who for whatever reason need to stay with older lines of the software: The company recommends users of Acrobat 8.1.6 and earlier versions update to Acrobat 8.1.7, and users of Acrobat 7.1.3 and earlier versions update to Acrobat 7.1.4. For Adobe Reader users who
Wed, 14 Oct 09
Microsoft Issues Record Number of Security Updates
http://feeds.voices.washingtonpost.com/click.phdo?i=491c63f70871b1fb13f8a6d2c64bf757
Microsoft Corp. on Tuesday issued an unprecedented number of updates to fix security problems in PCs powered by its Windows operating systems and other software: The software giant released patches to plug at least 34 security holes, the highest number of vulnerabilities it has ever addressed in a single month. October's batch of patches offer a little something for all Windows users, fixing security issues in Windows applications from the Internet Explorer (IE) browser and Microsoft Silverlight, to Microsoft's Internet Information Services (IIS) server, said Tyler Reguly, lead security research engineer at security vendor nCircle. "Again we see a month of client-side issues in almost every major Microsoft product," Reguly said. "Whether you run Office, Windows Media Player, Internet Explorer, .NET or just Windows itself, there's a vulnerability for you." Two-thirds of security holes addressed this month earned Microsoft's "critical" rating - it's most severe. Microsoft labels a security flaw
Tue, 13 Oct 09
Avoid Windows Malware: Bank on a Live CD
http://feeds.voices.washingtonpost.com/click.phdo?i=d7bf4357ad0ed41f9a4b3c4c59d7faa5
An investigative series I've been writing about organized cyber crime gangs stealing millions of dollars from small to mid-sized businesses has generated more than a few responses from business owners who were concerned about how best to protect themselves from this type of fraud. The simplest, most cost-effective answer I know of? Don't use Microsoft Windows when accessing your bank account online. I do not offer this recommendation lightly (and at the end of this column you'll find a link to another column wherein I explain an easy-to-use alternative). But I have interviewed dozens of victim companies that lost anywhere from $10,000 to $500,000 dollars because of a single malware infection. I have heard stories worthy of a screenplay about the myriad ways cyber crooks are evading nearly every security obstacle the banks put in their way. But regardless of the methods used by the bank or the crooks, all
Tue, 13 Oct 09
E-Banking on a Locked Down (Non-Microsoft) PC
http://feeds.voices.washingtonpost.com/click.phdo?i=2cdbbc2cbc694299d3488ed4c4f1631e
In past Live Online chats and blog posts, I've mentioned any easy way to temporarily convert a Windows PC into a Linux-based computer in order to ensure that your online banking credentials positively can't be swiped by password-stealing malicious software. What follows is a brief tutorial on how to do that with Ubuntu, one of the more popular bootable Linux installations. Also known as "Live CDs," these are generally free, Linux-based operating systems that one can download and burn to a CD-Rom or DVD. The beauty of Live CDs is that they can be used to turn a Windows based PC into a provisional Linux computer, as Live CDs allow the user to boot into a Linux operating system without installing anything to the hard drive. Programs on a LiveCD are loaded into system memory, and any changes - such as browsing history or other activity -- are completely wiped
Sat, 10 Oct 09
Comcast Trials Browser Alerts for Bot-Infected Customer PCs
http://feeds.voices.washingtonpost.com/click.phdo?i=ba6fc1701cc5ddd40baf06b960b25b59
Comcast, the nation's largest residential Internet service provider, this week began rolling out an initiative to contact customers whose PCs appear to be infected with malicious software, by notifying these users via Web browser alerts. The Philadelphia-based cable Internet company has already been alerting bot-infected customers via phone for the past year, but a pilot program in Denver that began Thursday will inform affected users with a so-called "service notice," a semi-transparent banner that overlays a portion of whatever page is being displayed in the customer's Web browser. Customers can then either move or close the alert, or click "Go to Anti-Virus Center," for recommended next-steps, which may include downloading and running the McAfee anti-virus tools the company offers for free, or purchasing a cleanup package and allowing a Comcast technician to attempt to remotely diagnose and fix the problem. Jay Opperman, senior director of security and privacy at Comcast,
Sat, 10 Oct 09
Adobe Warns of Critical Threat to Reader, Acrobat Users
http://feeds.voices.washingtonpost.com/click.phdo?i=b5542fa49c1e24f10ea2a8acffab4b3f
Adobe Systems Inc. late Thursday issued an alert saying that hackers are exploiting a newly-discovered vulnerability in its free PDF Reader and Acrobat products to break into Microsoft Windows systems. Adobe said it plans to release a patch to fix this vulnerability next Tuesday, in keeping with its recent shift to push out security updates in tandem with Microsoft's regular monthly patch cycle, which occurs on the second Tuesday of each month (a.k.a. "Patch Tuesday"). According to the Adobe advisory, the company is planning to release an update for Adobe Reader 9.1.3 and Acrobat 9.1.3, Adobe Reader 8.1.6 and Acrobat 8.1.6 for Windows, Macintosh and UNIX, and Adobe Reader 7.1.3 and Acrobat 7.1.3 for Windows and Macintosh to resolve critical security issues. "Among other issues, this update will resolve a critical vulnerability in Adobe Reader and Acrobat 9.1.3 and earlier (CVE-2009-3459) on Windows, Macintosh and UNIX," Adobe said in its
Fri, 9 Oct 09
Phishing Scam Spooked FBI Director Off E-Banking
http://feeds.voices.washingtonpost.com/click.phdo?i=47731149ea64d73ac8ff8491236f3937
In announcing a crackdown on "phishing" e-mail scams that netted one of the FBI's largest cyber crime cases ever, FBI Director Robert Mueller on Wednesday offered a candid revelation: A personal close call with a phishing scam has kept his family away from online banking altogether. Addressing the Commonwealth Club of California in San Francisco, Mueller spoke at length about the insidiousness of cyber crime, and how cyber criminals had affected him personally. Not long ago, the head one of our nation's domestic agencies received an e-mail purporting to be from his bank. It looked perfectly legitimate, and asked him to verify some information. He started to follow the instructions, but then realized this might not be such a good idea. It turned out that he was just a few clicks away from falling into a classic Internet "phishing" scam--"phishing" with a "P-H." This is someone who spends a good
Thu, 8 Oct 09
Latest FBI Crackdown on Phishing Targets 100 Defendants in U.S., Egypt
http://feeds.voices.washingtonpost.com/click.phdo?i=56057a049d0b69a597eca3b4c58cd448
UPDATED: 7:45 p.m. Law enforcement authorities in California, Nevada, North Carolina arrested 33 people Wednesday as part of an international crackdown on "phishing," e-mail scams that trick people into giving personal and financial data to counterfeit Web sites. The action, dubbed "Operation Phish Phry" by the FBI, targeted at least 100 people, including 20 defendants in the United States who remain at large. The FBI said that authorities in Egypt have charged at least 47 unindicted co-conspirators there in connection with the scam, which ran from January 2007 through September. It is the largest group of defendants to face charges in a cybercrime case, the FBI said. According to a 51-count indictment returned last week by a federal grand jury in Los Angeles, the defendants in Egypt used e-mails to lure customers of Wells Fargo and Bank of America to phony bank Web sites rigged to steal victims' usernames and
Thu, 8 Oct 09
Hijacked Webmail Accounts Used to Promote Dodgy E-Commerce Sites
http://feeds.voices.washingtonpost.com/click.phdo?i=e9f9ad3eea38828fa488d2fad65c04cd
Tens of thousands of compromised Gmail, Hotmail and Yahoo Webmail accounts are being used to gin up traffic for dodgy, bargain-basement electronics vendors online that only accept bank transfers and Western Union payments, security experts warn. Over the weekend, the credentials for at least ten thousand Microsoft Hotmail accounts were briefly posted online. Microsoft acknowledged the incident on Monday, saying the accounts were stolen as part of a phishing scam. Since then, other news outlets have reported that large caches of Yahoo and Gmail account credentials also were found online. According to an analysis by security vendor Websense, attackers used the hijacked accounts to spam each victim's e-mail contacts, sending messages that tout several online electronics stores. According to Websense, the stores promoted in the spam e-mails are all fakes set up to steal your money (click the image at the right for an enlarged screen shot of one sales
Wed, 7 Oct 09
Zeus Trojan Infiltrates Bank Security Firm
http://feeds.voices.washingtonpost.com/click.phdo?i=aebd1d7e4cce1ba574c41afd5400b8c3
On Sept. 1, security industry start-up Silver Tail Systems held an in-depth online seminar for its bank and e-commerce clients that examined the stealth and sophistication of Zeus, a data-stealing Trojan horse program that organized thieves have used in a string of lucrative cyber heists this year. A week later, Silver Tail learned that Zeus had infiltrated its own network defenses. Silver Tail founder Laura Mather said she believes her company was targeted by criminals wielding Zeus specifically because of the recent webinar, which spotlighted the myriad ways in which Zeus can defeat online banking security measures. Still, she said the incident shows this family of malware can be a threat to any business - even security companies. "Luckily, we were vigilant enough and had things locked down to a degree that the attackers weren't able to get anything of value to them," Mather said.
Tue, 6 Oct 09
Trove of Hotmail Passwords Posted Online
http://feeds.voices.washingtonpost.com/click.phdo?i=30982a1b0c8c3cfab96dbea7859654a6
If you use Microsoft's free Hotmail service, it may be time to change your password: Microsoft said Monday that several thousand Hotmail account credentials were posted online over the weekend. In a statement posted to its Windows Live Spaces blog, Microsoft said the company has determined that the data spill was not the result of a breach of internal Microsoft data, but rather was likely the haul from a phishing scheme. Microsoft said it is taking measures to block access to all of the accounts that were exposed and have resources in place to help those users reclaim their accounts. Microsoft said users who believe their information was documented on the illegal list (i.e., you have reason to believe you may have recently fallen for a Hotmail phishing scam) can reclaim access to their accounts by filling out this form. October being Cyber Security Awareness Month and all, it's probably
Fri, 2 Oct 09
DHS Seeking 1,000 Cyber Security Experts
http://feeds.voices.washingtonpost.com/click.phdo?i=2a630266f2451f10fc096dbca4b639b5
The Department of Homeland Security is poised to go on a geek hiring spree. DHS Secretary Janet Napolitano announced Thursday that the agency has been cleared to hire at least 1,000 new cybersecurity professionals over the next three years to fill staffing gaps at various DHS agencies. "This new hiring authority will enable DHS to recruit the best cyber analysts, developers and engineers in the world to serve their country by leading the nation's defenses against cyber threats," Napolitano said. According to Napolitano, the department will look to fill "critical cybersecurity roles," including "cyber risk and strategic analysis, cyber incident response, vulnerability detection and assessment, intelligence and investigation, and network and systems engineering." The DHS secretary made the remarks at a press conference Thursday to kick off National Cybersecurity Awareness Month. Interestingly, Thursday also marks the target date for the launch of the new U.S. Cyber Command (USCYBERCOM), according to
Thu, 1 Oct 09
Hackers Breach Payroll Giant, Target Customers
http://feeds.voices.washingtonpost.com/click.phdo?i=9d08cbfb0e6e237a2c21a191430e8935
Hackers last week apparently used stolen account information from a New Jersey company that provides online payroll services to target the firm's customers in a scheme to steal passwords and other information. Morrestown, N.J. based PayChoice, provides direct payroll processing services and licenses its online employee payroll management product to at least 240 other payroll processing firms, serving 125,000 organizations. Last Wednesday, a number of PayChoice customers received an e-mail warning them that they needed to download a Web browser plug-in in order to maintain uninterrupted access to onlineemployer.com, the portal for PayChoice's online payroll service. The supposed plug-in was instead malicious software designed to steal the victim's user names and passwords. Unlike typical so-called "phishing" scams -- which are sent indiscriminately to large numbers of people in the hopes that some percentage of recipients are customers of the targeted institution -- this attack addressed PayChoice customers by name in
Thu, 1 Oct 09
Stress Testing Microsoft's Free Anti-virus Offering
http://feeds.voices.washingtonpost.com/click.phdo?i=c3812cec09401a36e28164eeab3d6ead
Microsoft's free new anti-virus product is earning decent marks in preliminary tests, putting it roughly on par with many other stand-alone anti-virus products available today. A number of readers seem keen to try out Microsoft Security Essentials (MSE), but are eager to hear how the program stacks up against other free anti-virus tools in terms of detecting and removing malware. While the results of early testing may not provide that side-by-side comparison, they do offer a glimpse of how effective MSE may be in blocking and tackling some of the most common threats currently in circulation. The MSE performance analysis comes from av-test.org, a group that routinely publishes the results of anti-virus stress tests. AV-Test ran MSE against 3,732 samples of malware that are currently infecting PCs around the world, and found that the program blocked all of them, both when the samples were opened or accessed and when the