IT admins across the globe are letting out a collective groan after servers and PCs running McAfee VirusScan attacked core system files, in some cases causing the machines to display the dreaded blue screen of death.…
Home | Beast Or Buddha | Daily Security News | Industry Specialists Talk | Beast Hot Jobs | Contact | Blog Directory | Forums
McAfee false-positive glitch fells PCs worldwide - The Register - Security
When AV attacks
Friday Squid Blogging: Office Squid - Schneier on Security
Office squid....
The Pros and Cons of Password Masking - Schneier on Security
Usability guru Jakob Nielsen opened up a can of worms when he made the case for unmasking passwords in his blog. I chimed in that I agreed. Almost 165 comments on my blog (and several articles, essays, and many other blog posts) later, the consensus is that we were wrong. I was certainly too glib. Like any security countermeasure, password...
Kentucky payroll phishing scam nets small fortune - The Register - Security
Blue grass county hit by Trojan-fueled cybercrime
A gang of cybercrooks has made off with $415,000 from the coffers of Bullitt County, Kentucky following the conclusion of an elaborate phishing scam, The Washington Post reports.…
Latin Best Buy surfers sprayed by drive-by download malware - The Register - Security
¡Ay, Caramba!
Hackers have invaded the Best Buy website to plant exploit code targeted at South and central American surfers.…
The Insecurity of Secrecy - Schneier on Security
Good essay -- "The Staggering Cost of Playing it 'Safe'" -- about the political motivations for terrorist security policy. Senator Barbara Boxer has led an effort to at least put together a public database of ash storage sites so that people can judge the risk to the areas where they live. However, even this effort has been blocked not by...
A practical guide to disaster recovery planning - The Register - Security
Two papers for smaller businesses
Typically, vendor white papers are written with the ITDM or senior ITDM at a large company, in mind. [ITDM is industry jargon for "IT decision maker", since you ask.] People working at smaller companies are rather less well served, in quantity and quality. So today we focus our Reg Library selection on a couple of good papers aimed at small and medium-sized businesses.…
Hackers crack ColdFusion - The Register - Security
Drive-by download attack hits multiple hosts
Hackers are running a mass compromise against sites running vulnerable ColdFusion application server installations.…
RB2: ShakaCon Interview: Hackers with freakin' laser beams on their freakin' heads - Risky Business
Tagline:
Paul Craig chats to the ShakaCon laser masters...
If you're an avid RB2 listener you would have already heard the ShakaCon presentation by Andrea Barisani and Daniele Bianco on non-conventional keystroke sniffing techniques.
Their presentation was on sniffing keystrokes through powerlines, or alternatively by using freakin' lasers attached to their frickin' heads to detect he sound of keystrokes and then work out what was being typed.
RB2: ShakaCon Presentation: Hackers with freakin' laser beams on their heads, the presentation - Risky Business
Tagline:
Pew pew, you are no match for hackers with lasers, pew pew...
This podcast is a ripper, it's a presentation by Andrea Barisani and Daniele Bianco.
RB2 correspondent Paul Craig was in Hawaii last month for the ShakaCon security conference and he recorded this talk, which looks at side channel attacks using optical sampling of mechanical energy emissions and power line leakage.
What does that mean? Hackers with freakin' laser beams on their freakin' heads is what it means. These guys have developed techniques for sniffing keystrokes out of power lines and via laser beams... you know, the ones on their freakin' heads!
Forum Topic:
Risky Business #114 -- Gartner: Infosec jobs bound for India - Risky Business
Tagline:
Outsourcing meteor could mean trouble for planet infosec...
This week's edition of Risky Business is hosted by Vigabyte virtual hosting and brought to you by Check Point.
On this week's show we'll be joined by Gartner analyst Andrew Walls, who's got some less than reassuring things to say about the security of your job in the long term. Apparently the great big destructive meteor, "outsourcing," is about to collide with planet infosec, and when that happens it'll be grim indeed.
Month Of Twitter Bugs exposes microblogging flaws - The Register - Security
Making a hashtag of Web 2.0 security
The Month Of Twitter Bugs has begun with the publication of a flaw in a URL shortening service often used in conjunction with the microblogging service.…
Gamer embezzles virtual cash to settle real debts - The Register - Security
Eve Online banker does a runner
As if high-profile investment scandals and the economic downturn weren't bad enough here on Earth, now folks have to deal with it outside our galaxy. Virtually, at least.…
iPhone crashing bug could lead to serious exploit - The Register - Security
More fun with SMS
Updated This story was updated to correct factual errors contained in an IDG News article that first reported the vulnerability.…
Speculation mounts over AVG plans for OS X client - The Register - Security
'Mac users have no antibodies'
AVG bosses aren't saying much, but there's new evidence the anti-virus maker is seriously considering building an application for the Mac.…
Information Leakage from Keypads - Schneier on Security
Can anyone guess the entry codes for these door locks? There are 10,000 possible four-digit codes, but you only have to try 24 on these keypads. The first is most likely 1986 or 1968. The second is almost certainly 1234....
Boomerang attack against AES better than blind chance - The Register - Security
Pesky algorithm not invulnerable
Cryptographic researchers have uncovered a chink in the armour of the widely used AES algorithm.…
Spam levels bounce back after botnet takedown - The Register - Security
Even botnets have backup now
Spam levels are returning to normal following the recent takedown of crime-friendly ISP 3FN, which temporarily interrupted the operation of a significant spam spewing botnet.…
Religion, Politics, and PCI - Society of Payment Security Professionals - Compliance Demystified
As we approach Independence Day, I thought it fitting to post a blog on politics and religion as they are such an integral part of our country’s rich history. It has long been said that politics and religion should not be discussed amongst mixed company.
People generally have very passionate and entrenched views on these topics and as such any discussion can quickly turn from a friendly debate into an ugly argument. For those who are not history buffs, our own country’s founding fathers did not always get along and had some famously heated debates about the direction of the new nation.
In reading through the various blog postings, tweats, and forums, I believe we are almost at the point where we may want to include “PCI” in the list of taboo topics to discuss over dinner. While I am obviously exaggerating for effect, the PCI is certainly a topic that causes passionate debate. I am one of those who has passionate views on the state of payment card security.
When reading the various blogs and forums one will quickly see that they run the spectrum from obsequious fawning to downright indignation and anger about the standard, the PCI SSC, the card brands, QSAs, and everyone in between.
While likely most people reading this particular blog have passionate views about religion, politics, and payment card security (PCI), it is open, impersonal, passionate debate that will continue to move payment card security forward. If I could envision a model for discourse within the payment card industry, it would likely be modeled after our friends in the UK House of Commons where impassioned debate as well as levity (and the occasional questionable joke) are the order of the day. If the House of Commons is too extreme of an example, then our own congressional debates can serve as the model. The important point to take from is that we should all strive to debate furiously, and passionately without taking or making it personal.
I have had opportunity to own a QSA firm, work at MasterCard, serve on the PCI SSC, and train QSAs. While I may not agree with the positions of each or any of the groups at one point or another, one thing I have learned is that each of these entities has very different pressures and challenges. From my own personal experience, I can say that I was absolutely dumbfounded at the complexity and challenges faced by MasterCard and all of the considerations that must be made when modifying the SDP or PCI DSS.
On that note, let the debates continue but lets not forget the larger picture. We all work in the payment card industry and are ultimately all working toward the same goal. While we may (and usually do) disagree on the direction of the PCI DSS or other programs, this is natural and necessary for the evolution of the standard and security within our industry.
If you have something to say and want to have it published in Secure Payments, please consider doing so. The magazine is open and we don’t have to agree with your position to realize that someone may find value in the article.
Have a safe Independence Day weekend!
![[del.icio.us]](http://images.del.icio.us/static/img/delicious.small.gif){kind=small}
Religion, Politics, and PCI - Society of Payment Security Professionals - Compliance Demystified
As we approach Independence Day, I thought it fitting to post a blog on politics and religion as they are such an integral part of our country’s rich history. It has long been said that politics and religion should not be discussed amongst mixed company.
People generally have very passionate and entrenched views on these topics and as such any discussion can quickly turn from a friendly debate into an ugly argument. For those who are not history buffs, our own country’s founding fathers did not always get along and had some famously heated debates about the direction of the new nation.
In reading through the various blog postings, tweats, and forums, I believe we are almost at the point where we may want to include “PCI” in the list of taboo topics to discuss over dinner. While I am obviously exaggerating for effect, the PCI is certainly a topic that causes passionate debate. I am one of those who has passionate views on the state of payment card security.
When reading the various blogs and forums one will quickly see that they run the spectrum from obsequious fawning to downright indignation and anger about the standard, the PCI SSC, the card brands, QSAs, and everyone in between.
While likely most people reading this particular blog have passionate views about religion, politics, and payment card security (PCI), it is open, impersonal, passionate debate that will continue to move payment card security forward. If I could envision a model for discourse within the payment card industry, it would likely be modeled after our friends in the UK House of Commons where impassioned debate as well as levity (and the occasional questionable joke) are the order of the day. If the House of Commons is too extreme of an example, then our own congressional debates can serve as the model. The important point to take from is that we should all strive to debate furiously, and passionately without taking or making it personal.
I have had opportunity to own a QSA firm, work at MasterCard, serve on the PCI SSC, and train QSAs. While I may not agree with the positions of each or any of the groups at one point or another, one thing I have learned is that each of these entities has very different pressures and challenges. From my own personal experience, I can say that I was absolutely dumbfounded at the complexity and challenges faced by MasterCard and all of the considerations that must be made when modifying the SDP or PCI DSS.
On that note, let the debates continue but lets not forget the larger picture. We all work in the payment card industry and are ultimately all working toward the same goal. While we may (and usually do) disagree on the direction of the PCI DSS or other programs, this is natural and necessary for the evolution of the standard and security within our industry.
If you have something to say and want to have it published in Secure Payments, please consider doing so. The magazine is open and we don’t have to agree with your position to realize that someone may find value in the article.
Have a safe Independence Day weekend!
More Security Countermeasures from the Natural World - Schneier on Security
The plant caladium steudneriifolium pretends to be ill so mining moths won't eat it. She believes that the plant essentially fakes being ill, producing variegated leaves that mimic those that have already been damaged by mining moth larvae. That deters the moths from laying any further larvae on the leaves, as the insects assume the previous caterpillars have already eaten...
China not demolishing Green Dam - The Register - Security
Censorware not going anywhere after all
China's controversial mandatory censorware has only been delayed rather than abandoned, according to state media.…
PCI DSS compliance - It’s easy to make it tough on yourself…. - Beast Or Buddha
It’s been an interesting few months as we’ve seen a rapid rise in the number organisations coming to talk to us about PCI DSS compliance. The really cool thing as mentioned here, is that we are seeing proof that if you approach your PCI DSS compliance projects like we suggested here in this post; “PCI Compliance Projects - The road to nowhere…“, you will have a greater chance for success!
We’ve worked with so many great companies in recent months who’ve taken the advice on-board seriously and have made awesome inroads in regards to their IT security position (and PCI DSS compliance) - most now “compliant”, (….well as compliant as you can get).
On the flip-side, and lets not dwell on this too much, we’ve also seen a few organisations prove that not approaching a PCI DSS compliance project, as recommended in our post, does make for an expensive and very much time-consuming/wasting exercise for all.
A PCI DSS compliance project is what you make of it. You can give up and claim it is impossible, (and close your eyes to the fact that there are others who have done it), or you can make it work. The principles of a successful PCI DSS compliance project are no different to the principles you would adopt to make any other project successful!
Related Links:
- Previous PCI Posts (Uncut)
- Six ways you can bork PCI
- PCI: Choosing your Auditors Carefully
Stealthy click fraud tool exploits 9ball attack - The Register - Security
Meet the Keyser Soze of malware
Miscreants have developed one of most sophisticated click fraud malware applications to date.…
Feds: Hospital hacker's 'massive' DDoS averted - The Register - Security
Arrest foils 'Devil's Day' scheme
The leader of a malicious hacker collective who used his job as a security guard to breach sensitive Texas hospital computers has been arrested just days before his group planned a "massive DDoS" attack for the July 4 Independence Day holiday.…
MD6 Withdrawn from SHA-3 Competition - Schneier on Security
In other SHA-3 news, Ron Rivest seems to have withdrawn MD6 from the SHA-3 competition. From an e-mail to a NIST mailing list: We suggest that MD6 is not yet ready for the next SHA-3 round, and we also provide some suggestions for NIST as the contest moves forward. Basically, the issue is that in order for MD6 to be...
Jackson mass mailer adds to attack onslaught - The Register - Security
More zombies than the Thriller video
Miscreants have created a Michael Jackson mass-mailing worm.…
New Attack on AES - Schneier on Security
There's a new cryptanalytic attack on AES that is better than brute force: Abstract. In this paper we present two related-key attacks on the full AES. For AES-256 we show the first key recovery attack that works for all the keys and has complexity 2119, while the recent attack by Biryukov-Khovratovich-Nikolic works for a weak key class and has higher...
Torrentreactor breach serves potent exploit cocktail - The Register - Security
iframe redirection redux
Torrentreactor has long been regarded as one of the top bit torrent search engines, and with the demise of The Pirate Bay, it's likely bigger than ever. Now, it's been breached and is serving a potent cocktail of exploits to people browsing the site, Websense Security Labs says.…
Mozilla’s Content Security Policy - ha.ckers.org web application security lab
Some of you who have been following my blog over the last 3+ years may recall me talking about Content Restrictions - a way for websites to tell the browser to raise their security on pages where the site knows the content is user submitted and therefore potentially dangerous. In reality I’ve been talking about this for close to 5 years privately with the Mozilla team - back when their offices were about 2000 square feet and the entire office smelled like feet. Ahh, those were the days. Well, we are creeping very close to seeing Content Restrictions (now named Content Security Policy) in reality, finally! Thanks in huge part to Gerv and Brandon over at Mozilla.
I hear rumors that it should be released in Firefox-next (also known as 3.6 - scheduled for early to mid 2010). So give it another year or so and we should have a workable defense against XSS on pages that must allow user submitted HTML and JavaScript - think eBay, MySpace, and so on. The only trick is making sure the companies who have these problems have projects in their pipelines to use this header once it becomes live. So if you happen to know someone who works for a company who has this problem or happen to work there yourself, please make sure others are aware of this well ahead of time. I for one am very excited to see this approaching reality after all these years, and I encourage you to watch their website for updates if you are at all interested in building user submitted widgets and the like.
On a less thrilling note it also has some clickjacking defenses in it, but just like Microsoft’s X-FRAME-OPTIONS header, I think it’s really not particularly interesting, it’s an opt-in model and clickjacking is so prevalent as an avenue for attack. Opt in security models work on sites that know they’ve got a problem (like user submitted HTML and JS) not on sites that don’t know they’ve got a problem (like wireless access points and web enabled firewalls). Alas - I digress, and I don’t mean to diminish the overall positives of this solve. Indeed, I’m very excited by the future of Content Security Policy as it may make surfing “fun” sites safe again - even with JavaScript and Flash enabled! Wouldn’t that be a crazy thought?
In unrelated news, I did a podcast with Dennis Fisher over at Threatpost on some of the RFC1918 issues I discussed a few weeks back and Slowloris. If you’re interested, please feel free to have a listen!
Kaspersky beats Zango in malware classification case - The Register - Security
Right to call spade a digging implement won
Kaspersky Lab has secured a legal victory against notorious adware firm Zango, with a ruling that goes a long way towards protecting security software developers from nuisance lawsuits from the developers of internet pests in future.…
Security, Group Size, and the Human Brain - Schneier on Security
If the size of your company grows past 150 people, it's time to get name badges. It's not that larger groups are somehow less secure, it's just that 150 is the cognitive limit to the number of people a human brain can maintain a coherent social relationship with. Primatologist Robin Dunbar derived this number by comparing neocortex -- the "thinking"...
Conficker left Manchester unable to issue traffic tickets - The Register - Security
Infection cost £1.5m in total
Manchester City Council was prevented from issuing hundreds of motoring penalty notices in time after the infamous Conficker worm knocked out parts of its IT systems.…
China spam crisis provokes researcher's ire - The Register - Security
Name and shame campaign aims to change attitudes
A security researcher is calling for action against Chinese internet firms which are failing to protect their services from abuse by cybercrooks.…
Strange Cellphone Behavior - ADD / XOR / ROL
Hey all,
I know this blog post is a bit weird, but I reckon I'd share this: For some reason that is quite unknown to me, my cellphones have a habit of developing strange behaviors. I used to use a Nokia N73, which developed the following habit:
When in foreign time zones (Japan, Norway, USA) the phone would send more-or-less random old text messages to more-or-less random people from my address book. There would be a merry mix & match between the two, leading to more than one amusing misunderstanding that needed clearing up.
Then, at some point last fall, I switched to the silly shiny Apple telephony device (perhaps people do better QA on their backdoors on that platform). For a few months, the problems went away.
This changed last week -- now, when I send text messages to certain numbers, the phone seems to send a more-or-less random old text messages that has already been sent to the same number along with the message. This is a bit nicer (as it will not mix & match), but still annoying.
So .. uhm ... I am trying to come up with plausible explanations for this behavior. Can anyone offer one ? My total-guess-in-the-dark ideas would be:
I know this blog post is a bit weird, but I reckon I'd share this: For some reason that is quite unknown to me, my cellphones have a habit of developing strange behaviors. I used to use a Nokia N73, which developed the following habit:
When in foreign time zones (Japan, Norway, USA) the phone would send more-or-less random old text messages to more-or-less random people from my address book. There would be a merry mix & match between the two, leading to more than one amusing misunderstanding that needed clearing up.
Then, at some point last fall, I switched to the silly shiny Apple telephony device (perhaps people do better QA on their backdoors on that platform). For a few months, the problems went away.
This changed last week -- now, when I send text messages to certain numbers, the phone seems to send a more-or-less random old text messages that has already been sent to the same number along with the message. This is a bit nicer (as it will not mix & match), but still annoying.
So .. uhm ... I am trying to come up with plausible explanations for this behavior. Can anyone offer one ? My total-guess-in-the-dark ideas would be:
- Current behavior is caused by international text message routing weirdness -- e.g. text messages I sent a few days ago in the US get duplicated for some reason and re-sent
- Both current and N73 behavior is triggered by shoddy QA on lawful intercept systems
- Both current and N73 behavior is triggered by shoddy QA on the side of the parties that backdoor my phones
- If you backdoor my phone, fix your software. Kthx.
- If you write LI software, fix your software. Kthx.
- If there are multiple people backdooring my phone, please test for interoperability between your tools.
<i>Rolling Stone</i> allegedly DDoSed for negative story - The Register - Security
Perverted Justice
Federal prosecutors accused a Pennsylvania man of unleashing a crippling series of attacks against the websites of Rolling Stone and other groups after they published articles that cast him in an unfavorable light.…
CSRF And Ignoring Basic/Digest Auth - ha.ckers.org web application security lab
One of the single most annoying things about CSRF and router hacking etc… is that you get the annoying popups on Basic and Digest authentication pages, asking you to log in. More and more devices are moving away from these popup style alerts and moving more towards form based authentication, which is better from a hacking perspective. But still, I would say the vast majority of firewall/switch/router devices out there use Basic or Digest based authentication. The problem with that from an attacker’s perspective is that it creates a noisy popup if it fails (if the user isn’t authenticated) that the user is bound to notice and question. Well, now we have an answer - at least in Internet Explorer:
<DIV STYLE="background-image: url(http://router/path.to.hack)">blah</DIV>
I know there are others tags that work, but probably not as well as this method from what I’ve seen so far. I haven’t found a reliable way in other browsers to allow this to happen, but I’ve only barely scratched the surface of the vast number of CSRFable tags out there. But anyway, yes, this doesn’t cause the Basic or Digest auth dialog to fire so it will be more stealthy upon performing a CSRF that fails. Of course for POST based CSRF you’re still out of luck…
Cryptography Spam - Schneier on Security
I think this is a first. Information security, and protection of your e-money. Electronic payments and calculations, on means of a network the Internet or by means of bank credit cards, continue to win the world market. Electronic payments, it quickly, conveniently, but is not safely. Now there is a real war, between users and hackers. Your credit card can...
Researcher barred from demoing ATM security vuln - The Register - Security
Not ready for prime time
A talk demonstrating security weaknesses in a widely used automatic teller machine has been pulled from next month's Black Hat conference after the machine vendor placed pressure on the speaker's employer.…
Max Vision pleads guilty to running cybercrime bazaar - The Register - Security
Iceman melts
Notorious hacker Max Vision faces a lengthy prison sentence after pleading guilty to two counts of wire fraud involving the trafficking of around 1.8 million credit card numbers and running a clearing house for cybercrime.…
-
Daily Security News is a collection of useful feeds that have been aggregated for your convenience.
Channels
- Society of Payment Security Professionals - Compliance Demystified
- Risky Business
- The Register - Security
- Beast Or Buddha
- GEEKONOMICS
- ha.ckers.org web application security lab
- The Art of Software Security Assessment
- Metasploit
- ADD / XOR / ROL
- Alex's Corner
- Mark's Blog
- The Microsoft Security Response Center (MSRC)
- Matt Blaze's Exhaustive Search
- Schneier on Security
-
RSS Feed
-
Disclaimer
This is a automaticly generated site. The domain owners, staff and associated parties are in no way responsible for the content. All content is copyright their respective owners. -
Contact
If you have any questions or queries, please contact the admin.