Daily Security News

general - Programmer gets 4 years in TJX hack case

Fri, 12 Mar 2010 23:21:57 +0000

Dirty laundry delivered via FedEx

A former Barclays Bank programmer received 46 months in prison for helping TJX hacker Albert Gonzalez launder as much as $800,000, according to news reports.…

theory - Friday Squid Blogging: Cipherlopods

Fri, 12 Mar 2010 22:21:58 +0000

This makes no sense to me, even though -- I suppose -- it's a squid cryptography joke....

general - Netflix cancels recommendation contest over privacy

Fri, 12 Mar 2010 22:20:06 +0000

Not as anonymous as you think

Netflix has canceled a contest designed to improve its movie recommendation system out of concern it might compromise the privacy of its customers.…

technical - Update on Security Advisory 981374

MSRCTEAM — Fri, 12 Mar 2010 21:34:14 +0000

Hi everyone,

I’m writing to let you know that we have updated Security Advisory 981374 with new workaround information. We are aware that exploit code has been made public for this issue. As with our last update, Internet Explorer 8 remains unaffected by the vulnerability addressed in the advisory and we continue to encourage all customers to upgrade to this version.

On Wednesday we added a workaround to the advisory that helps to mitigate the vulnerability by disabling the peer factory class through the modification of a registry key. With today’s update, we have added a Microsoft Fix It to automate this workaround for Windows XP and Windows Server 2003 customers. As always, customers should test this thoroughly before deploying as certain functionality that depends on the peer factory class, such as printing from Internet Explorer and the use of web folders, may be affected.

We have seen speculation that Microsoft might release an update for this issue out-of-band. I can tell you that we are working hard to produce an update which is now in testing. This is a critical and time intensive step of the process as the update must be tested against all affected versions of Internet Explorer on all supported versions of Windows. Additionally, each supported language version needs to be tested as well as testing against thousands of third party applications. We never rule out the possibility of an out-of-band update. When the update is ready for broad distribution, we will make that decision based on customer needs.

Please review the advisory for more information. We will keep you posted as additional information becomes available.

Jerry Bryant
Sr. Security Communications Manager Lead

*This posting is provided "AS IS" with no warranties, and confers no rights.*

general - Trojan armed with hardware-based anti-piracy control

Fri, 12 Mar 2010 20:27:45 +0000

Zeus borrows page from Microsoft

The latest version of the Zeus do-it-yourself crimeware kit goes to great lengths to thwart would-be pirates by introducing a hardware-based product activation scheme similar to what's found in Microsoft Windows.…

What is your recession sales strategy?

theory - Another Schneier Interview

Fri, 12 Mar 2010 19:19:30 +0000

This one on simple-talk.com....

theory - Why DRM Doesn't Work

Fri, 12 Mar 2010 17:31:20 +0000

Funny comic....

general - Safari update cages numerous security bugs

Fri, 12 Mar 2010 16:11:32 +0000

Code inject and info flaws fixed

Apple published an update of its Safari browser on Thursday that plugs 16 security vulnerabilities.…

general - SSD tools crack passwords 100 times faster

Fri, 12 Mar 2010 14:42:41 +0000

Ultra brute force attack

Password-cracking tools optimised to work with SSDs have achieved speeds up to 100 times quicker than previously possible.…

theory - More Hollow Coins

Fri, 12 Mar 2010 12:58:19 +0000

A hollowed-out U.S. nickel can hold a microSD card. Pound and euro coins are also available. I blogged about this about a year ago as well....

general - McAfee inadvertently speeds creation of Metaploit IE exploit pack

Fri, 12 Mar 2010 12:09:00 +0000

Unsanitised blog laid exploit hunt clues

A security researcher has credited McAfee for helping him to develop exploit code that cracks open an unpatched flaw in older versions of Internet Explorer.…

general - Turkey cuffs 23 'militant' hacker suspects

Fri, 12 Mar 2010 10:03:24 +0000

PKK s'kiddies

Turkey has arrested 23 hackers suspected of links with the outlawed Kurdistan Workers' Party (PKK) and attacks on government websites.…

general - Securus Global Roles

Drazen Drazic — Fri, 12 Mar 2010 07:22:37 +0000

We’re looking for people again. Check out the role advertisement. If you think you fit the role description and want to join one of the region’s best and fastest growing security companies, give us a yell.

Just a note: while we are open to overseas people applying, and we have recruited OS before, having a work visa or the like for Australia is preferred.

———————————————————————————————-
Securus Global: IT Security, Penetration Testing, Security Assessments, PCI Compliance, Product Assurance, QualysGuard, Security Strategy, Vulnerability Assessment.

general - Sarah Palin to testify in email hack trial

Fri, 12 Mar 2010 06:02:01 +0000

After Yahoo! breach 'paralyzed' Veep campaign

Former Republican vice presidential candidate Sarah Palin will testify in person against the college student accused of breaching her Yahoo mail account and leaking some of its contents online, according to published reports.…

What is your recession sales strategy?

general - Risky Business #143 -- Cloud computing and the history of electricity

Patrick Gray — Fri, 12 Mar 2010 05:40:43 +0000

Tagline:

Are your electron-tubez cloudy?

Media URL:

http://media.risky.biz/RB143.mp3

Content Headers

Content Length:

20720130

Content Type:

audio/mpeg

On this week's show we're having an extended chat with our good mate Greg Shipley.

Greg's best known as the CTO of Chicago-based information security consultancy Neohapsis, and he'll be joining us to talk about what was on the agenda at the RSA conference. Apparently it's cloud, cloud, cloud... but what does that actually mean, mean, mean? Greg will be along soon to discuss, he's always good.

Forum Topic:

Risky Business #143 -- Cloud computing and the history of electricity

general - TSA worker tried to sabotage terror database, feds say

Thu, 11 Mar 2010 23:59:20 +0000

One week after losing job

A former data analyst for the US Transportation Security Agency has been accused of trying to sabotage a terrorist screening database used to vet people with access to sensitive information and secure areas of the nation’s transportation network.…

general - Microsoft plants Bing on Google-free Chinese Androids

Thu, 11 Mar 2010 22:37:13 +0000

Google apps 'postponed' on China carriers

Motorola will soon push Microsoft's Bing search engine onto Android phones in China, after announcing an alliance with the Redmond software giant that will see Bing appear on Androids across the globe.…

The power of collaboration within unified communications

general - One-third of orphaned Zeus botnets find way home

Thu, 11 Mar 2010 20:04:10 +0000

Cyber security's short-lived victory

The takedown of 100 servers used to control Zeus-related botnets may be a short-lived victory, security researchers said after discovering that about a third of the orphaned channels were able to regain connectivity in less than 48 hours.…

Case Study: WhatsUp keeps Legoland turnstyles ringing

theory - Wikibooks Cryptography Textbook

Thu, 11 Mar 2010 18:26:36 +0000

Over at Wikibooks, they're trying to write an open source cryptography textbook....

technical - Using Parameter Pollution and Clickjacking to Aid Anti-CSRF Bypass

RSnake — Thu, 11 Mar 2010 17:06:22 +0000

It’s been a while since I’ve talked about Clickjacking, with only a few exceptions here and there. Mostly because I haven’t seen it much in the wild - at least not yet. But there’s still a lot of research out there to be done. I got an interesting email the other day that talked about a way to use parameter pollution (or a mix of URL parameters and POST) to create a condition where you can defeat CSRF tokens:

The technique, found by Lava Kuppan describes a scenario where a mix of CSRF, parameter pollution and Clickjacking can defeat CSRF tokens in JSP and (sometimes) in ASP.NET. It’s worth a read. I did briefly mention using CSRF to pre-populate fields that may be necessary to create a Clickjacking scenario during Jeremiah and my brief talk at the world OWASP in New York. But this takes it to a new level, where you can pre-load information in such a way that it will actually defeat the application logic in the process. Anyway, cool stuff by Lava.

general - Koobface gang refresh botnet to beat takedown

Thu, 11 Mar 2010 16:32:16 +0000

Twitter scourge changes pants

Command and Control servers associated with the infamous Koobface worms have gone through a complete refresh over the last fortnight. Russian net security firm Kaspersky Lab reckons the change up might be aimed at making takedown efforts by cybercrime fighters more difficult.…

general - Estonian DDoS revenge worm crafter jailed

Thu, 11 Mar 2010 13:35:06 +0000

Infection still spreading

An Estonian virus writer has been jailed for two and a half years for creating a Windows worm family that launched denial of service attacks on the websites of a local insurance firm and ISP.…

general - Tories on cyber war: Waffle, mutter, waffle. Um, vote for us!

Thu, 11 Mar 2010 12:22:58 +0000

'Computers. Clicking, typing. Email. I could go on'

Tory peer and shadow security minister Baroness Pauline Neville Jones has set out her party's thoughts on cyber war and defence. Unfortunately once the waffle is stripped away there's pretty much nothing there.…

general - Password reset questions dead easy to guess

Thu, 11 Mar 2010 12:18:29 +0000

Your pet's name is Poochie? You're pwned

Guessing the answer to common password reset questions is far easier than previously thought, according to a new study by computer science researchers.…

theory - Wanted: Trust Detector

Thu, 11 Mar 2010 12:17:12 +0000

It's good to dream: IARPA's five-year plan aims to design experiments that can measure trust with high certainty -- a tricky proposition for a psychological study. Developing such experimental protocols could prove very useful for assessing levels of trust within one-on-one talks, or even during group interactions. A second part of the IARPA proposal might involve using new types of...

general - Bogus Playstation emulators pack Trojan payload

Thu, 11 Mar 2010 10:49:25 +0000

'Will be around for a long time'

Retro gaming fans are being targeted in a new con designed to infect computers with a Trojan linked to scareware scams.…

general - PayPal restores Cryptome for real

Thu, 11 Mar 2010 10:28:46 +0000

Now go away

PayPal has finally made good on its pledge to restore Cryptome's account many hours after the firm's head of global communications told Register readers it had already done so.…

general - Zeus botnets suffer mighty blow after ISP taken offline

Wed, 10 Mar 2010 23:23:57 +0000

One quarter of C&C channels vanish

At least a quarter of the command and control servers linked to Zeus-related botnets have suddenly gone quiet, continuing a recent trend of takedowns hitting some of the world's most nefarious cyber operations.…

Offloading malware protection to the cloud

theory - Nose Biometrics

Wed, 10 Mar 2010 19:47:12 +0000

Really: Since they are hard to conceal, the study says, noses would work well for identification in covert surveillance. The researchers say noses have been overlooked in the growing field of biometrics, studies into ways of identifying distinguishing traits in people. "Noses are prominent facial features and yet their use as a biometric has been largely unexplored," said the University...

general - Google boss says something will happen in China 'soon'

Wed, 10 Mar 2010 19:20:08 +0000

Eight weeks and counting

Google CEO Eric Schmidt has reiterated that the company is currently in negotiations with the Chinese government over its future in the country - despite the Chinese government's claims to the contrary - and he expects some sort of development "soon".…

Case Study: WhatsUp keeps Legoland turnstyles ringing

general - Cryptome: PayPal a 'liar, cheat and a thug'

Wed, 10 Mar 2010 16:10:18 +0000

Account still restricted

"PayPal is a fucking liar, a cheat and a thug," says Cryptome operator John Young. The eBay-owned payment service closed the Cryptome account last week, with over $5,000 of donations intended for Young in limbo.…

general - UK plastic fraud losses fall for first time in 3 years

Wed, 10 Mar 2010 13:21:31 +0000

Online banking losses up though

A rise in online banking fraud losses took some of the shine off the overall fall in debit and credit fraud in the UK last year.…

theory - The Limits of Identity Cards

Wed, 10 Mar 2010 13:09:08 +0000

Good legal paper on the limits of identity cards: Stephen Mason and Nick Bohm, "Identity and its Verification," in Computer Law & Security Review, Volume 26, Number 1, Jan 2010. Those faced with the problem of how to verify a person's identity would be well advised to ask themselves the question, 'Identity with what?' An enquirer equipped with the answer...

general - Twitter adds filter to cut phishing lines

Wed, 10 Mar 2010 12:46:30 +0000

Every twt.tl bit helps

Twitter has tightened up security procedures in order to curtail phishing attacks against users of the micro-blogging service, which have become rampant over recent weeks.…

general - Max Clifford takes £1m to drop hack probe

Wed, 10 Mar 2010 09:29:44 +0000

Kiss and don't tell

Celebrity publicist Max Clifford has agreed to accept a £1m plus payoff in exchange for dropping phone hacking allegations against the News of the World.…

general - Suburban woman accused of using net to recruit terrorists

Wed, 10 Mar 2010 07:02:02 +0000

Feds cuff JihadJane

A suburban Pennsylvania woman who went by the online alias JihadJane used the internet to recruit Islamic terrorists and to plot the assassination of a Swedish cartoonist who depicted the Prophet Mohammed, according to a federal indictment unsealed Tuesday.…

general - Fraud-prevention service ponies up $12m for 'false' ads

Tue, 09 Mar 2010 23:17:58 +0000

Agrees to safeguard customer data

An Arizona company that sells services designed to prevent identity theft has agreed to pay $12m to settle charges it oversold their effectiveness and didn't adequately protect sensitive customer data.…

general - It's official: Adobe Reader is world's most-exploited app

Tue, 09 Mar 2010 20:33:45 +0000

The new Microsoft

Adobe's ubiquitous Reader application has replaced Microsoft Word as the program that's most often targeted in malware campaigns, according to figures compiled by F-Secure.…

general - New Internet Explorer code-execution attacks go wild

Tue, 09 Mar 2010 19:08:33 +0000

IE 6 and 7 users targeted

Online thugs are exploiting a security bug in earlier versions of Internet Explorer that allows them to remotely execute malicious code, Microsoft warned on Tuesday.…

What is your recession sales strategy?

theory - Marc Rotenberg on Google's Italian Privacy Case

Tue, 09 Mar 2010 18:36:00 +0000

Interesting commentary: I don't think this is really a case about ISP liability at all. It is a case about the use of a person's image, without their consent, that generates commercial value for someone else. That is the essence of the Italian law at issue in this case. It is also how the right of privacy was first established...