Fortinet, a network security provider and unified threat management (UTM) solutions specialist has observed the highest level of total malware detected in more than a year. According to its October 2009 Threatscape report, the level of total malware detected was four times greater than detected in September. Scareware tactics hit an all-time peak last month and the attacks were very severe. Frequency of these attacks has increased and they are occurring faster and harder than ever. A glanc... read more»
A Call for Action investigation a year in the making reveals one possible way thieves could get a hold of your personal information. 24,000 Floridians complained to the Federal Trade Commission last year about identity theft. That made Florida the 3rd most likely place for identity theft--right behind Arizona and California. This is why the results of a WINK Call for Action investigation are so disturbing. Last year, Call for Action spent just fifty dollars to purchase ten used hard dri... read more»
RSA Security's research lab, AKA FraudAction, has shut down a scam involving reshipping and cash mules. In a blog post, the firm said the scam involved a recruitment ad on a bogus web site for a fake parcel delivery firm. Luckily, the web site was so riddled with errors that most people who were lured to it got wise to the con. RSA said that "candidates" were asked to send in their personal information as part of the application process. Apparently, 1,900 people fell for the ruse and lost ... read more»
An NHS trust has lost data relating to 1,000 occupational therapy patients and staff members, according to the Information Commissioner's Office. Great Yarmouth and Waveney Primary Care Trust (PCT) informed the ICO of the theft of two desktop computers containing sensitive personal data including information about people’s physical or mental health and trade union membership. The premises did not have an intruder alarm system, the internal office doors did not have security locks and the c... read more»
On the first anniversary of the McColo shutdown, spam levels have more than recovered, according to experts. Recent figures released by security firm McAfee indicate that spam levels are at an all-time high. When the notorious hosting provider was shut down in November 2008, spam levels immediately plummeted. Though experts were sceptical that the shutdown would deal a lasting blow to spammers, there was hope that levels would at least drop slightly.... read more»
A 37-year-old Renton man accused of stealing hundreds of identities and credit cards was sentenced to a five-year prison term Friday in U.S. District Court. According to a statement issued by the U.S. Attorney's Office in Seattle, Billy Morris Britt took part in an ID theft ring that targeted 23 different financial institutions and netted as much as $3 million by selling stolen goods on eBay. Prosecutors allege that Britt stole credit cards from gym lockers, produced counterfeit identificatio... read more»
What you don't know—or aren't concerned about— can hurt you, your clients, your employees, and your practice. That’s because without proper cybersecurity training and education, your practice is at risk of losing vital customer and company data. Chances are, you're like most small businesses in America. You store client information, including credit card data, and practice financial records online. At least, that’s what the latest data from the National Small Business Cybersecurity Study suggest... read more»
The potential danger of shopping online is that it can open the door to viruses, spam and phishing attacks that invade the workplace and cost enterprises thousands per employee in lost productivity and potentially millions in destruction or compromise of corporate data. Employees plan to spend nearly two full working days (14.4 hours) on average shopping online from a work computer this holiday season, according to a survey conducted on behalf of ISACA, a nonprofit association of 86,000 info... read more»
A majority of Web sites have at least one major security issue that could be used by hackers for fraud-related purposes, according to a new survey. Some 64 percent of 1,300 Web sites run by 250 enterprises have at least one serious vulnerability, said WhiteHat Security, which specializes in finding vulnerabilities in Web applications. The statistics come from WhiteHat's customer base, which lets the company regularly review their sites for problems.... read more»
Security researcher Laurent Graffie mocked Microsoft (NSDQ: MSFT)'s Secure Development Lifecycle process in a blog post on Wednesday in which he published proof-of-concept exploit code that he claims can crash Windows 7 and Windows Server 2008 R2. "This bug is a real proof that SDL #FAIL," he wrote, adding "The bug is so noob it should have been spotted 2 years ago by the SDL if the SDL [had] ever existed." The vulnerability appears to reside in Microsoft's Windows Sever Message Block (SMB... read more»
Nearly a third of federal IT pros say their agency experiences at least one cybersecurity incident each day, according to a new survey. The survey of 300 federal IT pros found that 31% said their agency experiences a cybersecurity incident -- external attack, malware, lost device, inappropriate employee access, or other threat -- daily. The frequency of such problems are at the same level or slightly higher than last year for most survey respondents, and their severity has remained about the ... read more»
The Sydney Morning Herald has run an interview with Wollongong student, Ashley Towns, the creator of what is being called the world’s first iPhone virus. Towns’ virus, a worm which runs on jailbroken iPhones, Rick-rolls its targets by changing the background to a picture of Rick Astley. There is some debate as to whether Towns actually wrote the virus or is a script kiddie who plagarised code placed on the Internet by European hackers only a few weeks ago.... read more»
The creator of the rickrolling iPhone worm has spoken of possible job offers and death threats since the release of the Jesus Phone malware last weekend. Ashley Towns, 21, from Wollongong, New South Wales, Australia, told local media he received both threats and offers of possible work a day after he was identified as the creator of what's been described as the first strain of iPhone malware. The malicious code created by Towns changed the wallpaper of jailbroken iPhone devices it infected to... read more»
We live in a unique time in our technological history. The cameras are ubiquitous, but we can still see them. ID checks are everywhere, but we still know they're going on. Computers inherently generate personal data, and everyone leaves an audit trail everywhere they go. Bruce Schneier, internationally-renowned cryptographer, technologist and author, will share his vision of current and future technologies' effects on privacy. Schneier rejects the traditional "security vs. privacy" dichotomy ... read more»
Cheryl Roberts, 61, suspected her husband David was accessing chatrooms to lure girls into sex so she set up a different computer in their home to pretend she was a 14-year-old girl and caught him in the act. A court heard she linked up with Roberts, 68, as he was in the study while she was in the neighbouring living room. Roberts, a former pub landlord, propositioned the "girl" asking her to meet her up for sex and Mrs Roberts was so shocked by his behaviour she contacted police who seiz... read more»
We've been playing around with augmented reality for a time now, the technology seems to be on a tipping point with iphone (not just the overlay - not truly AR, but they do have true AR apps) , android and other forms of capture and processing. To me this is the future of security visualization. I know it is a bold statement to make, but when you start to develop and delve deeper the possiblilities are endless. If you look at my site you will see the direction of our research.... read more»
A reputation-based economy means that infrastructure providers care more about security than their customers do. I realized this 10 years ago with my own company. We provided network-monitoring services to large corporations, and our internal network security was much more extensive than our customers'. Our customers secured their networks -- that's why they hired us, after all -- but only up to the value of their networks. If we mishandled any of our customers' data, we would have lost the trus... read more»
Coming on the heels of similar fraud schemes that targeted victims using the names of such familiar institutions as the FDIC, IRS, and HMRC, scammers are trying to get people to infect their own computer using a different organization’s name—one that is probably unfamiliar to most people. NACHA is a not-for-profit association that “oversees the Automated Clearing House (ACH) Network, a safe, efficient, green, and high-quality payment system.” In other words, they run the pipes that keep money fl... read more»
Not-for-profit financial organization NACHA, which oversees an electronic payment system called the Automated Clearing House (ACH) Network, has issued an immediate release today in response to a surge in spam e-mails part of a phishing attack. The release, posted to the official NACHA Web site, reads: Random individuals and/or companies may have received a falsified e-mail with the subject title "Rejected ACH Transaction." This e-mail appears to be from NACHA - The Electronic Payments... read more»
A phishing attack Tuesday, labeled as a critical alert, caused several students to fall prey to scam and e-mails were delayed by almost two hours. Technology Services Help Desk staff member, Steve Kuchta stated in a critical alert issued by Technology Services that the VCU community reported a new phishing e-mail with a link to a Web site mocked up to look like the VCU Central Authentication Service login page. "The (e-mail) uses a fake VCU (e-mail) address, VCU WebMail (service@vcu.edu) a... read more»
Google isn't content with providing us with fast search and a fast browser: we need a faster protocol between servers and browsers. The search giant would like us to start forgetting about HTTP:// and learn to love SPDY://. Ars takes a look at the proposal as well as its strengths and weaknesses. The main problem with HTTP is that today, it's used in a way that it wasn't designed to be used. HTTP is very efficient at transferring an individual file. But it wasn't designed to transfer a large ... read more»
The scientist say when users forget their password for accessing their email account or an online shopping site the security questions, such as "what is your mothers maiden name?" are too easy for cybercriminals to guess. Rutgers computer scientists are testing a new tactic that could be both easier and more secure. "We call them activity-based personal questions," said Danfeng Yao, assistant professor of computer science in the Rutgers School of Arts and Sciences. "Sites could ask you, 'W... read more»
Two-thirds of the sites that tend to care most about security still have serious unfixed vulnerabilities, according to an analysis from web security firm WhiteHat Security. The statistics from WhiteHat's report, released today, cover vulnerabilities found in custom Web applications on 1,364 different Web sites. That number is only a small fraction of the number of sites online, but it represents those companies that have contracted with WhiteHat for additional security scanning, and therefore... read more»
Details five key steps to take before moving to the cloud. The not-for-profit Information Security Forum (ISF) today released a new report detailing ways in which firms can minimise data security risks when moving to cloud computing environments. Working with its member organisations, the ISF has produced Security Implications of Cloud Computing, which covers various areas including how to manage user identities and credentials, third-party service providers, legal and regulatory issues, a... read more»
According to researchers on cyber security at the Information Systems Audit and Control Association (ISACA), an international non-profit team of IT specialists, company employees doing online shopping could increase security risks for their organizations, as this practice could invite spam, viruses and phishing attacks, reported THEPOST.IE published on November 1, 2009. As per the reports, the risks could mean potentially huge dollar losses per employee to businesses in terms of lost producti... read more»
It happened on October 24, 2009, when friends and associates of Mr. Lawrence Goff, a Newark-based Town Councilor (Nottinghamshire, UK), started receiving an e-mail, according to which, he was in Spain, lost his wallet, and his possessions were in hold of the hotel management. He had to settle the hotel bill in order to regain his belongings. Ironically, the councilor was at his home at that time, as reported by Newark Advertiser on October 30, 2009. As per the details of the e-mail scam, it w... read more»
According to the Internet security firm Network Box, although malware volumes continued to be high during October 2009, attacks emanating from the usually large malware-producing countries - China, US, Brazil and Korea - were found lower than their levels in September 2009. Reportedly, in the US, spam volumes declined 3% in October, making it the No.5 country among the top spam producers. The decline is also significant considering that the country was so far the greatest source of spam world... read more»
According to a security investigator at Websense, a Web security firm, organizations are increasingly reaping maximum advantage from the strength inherent in blogs, social-networking websites, Twitter as well as other Web 2.0 mechanisms to enhance the communication level with their partners and customers; however, in case adequate protection is not deployed, it could lead to insurmountable Web-related threats. States David Meizlik, director for Web and Data Security at Websense, that twitter ... read more»
Researchers from the Swiss Federal Institute of Technology in Zurich and the French National Institute for Research in Computer Science and Control have now developed a scheme for protecting implantable medical devices against wireless attacks. The approach relies on using ultrasound waves to determine the exact distance between a medical device and the wireless reader attempting to communicate with it.... read more»
Human error is to blame for the accidental exposure last week of more than 4,500 Chaminade University student's Social Security numbers on the private Catholic college's official Web site. University officials discovered the snafu Wednesday and quickly removed the obscure but accessible links from the Web site. The students' Social Security numbers were exposed for about eight months, according to a statement released by the Honolulu-based university, and thus far there is no evidence that... read more»
The DRG is a not-for-profit, non-revenue generating entity, compromised of a geographically dispersed set of trusted volunteers who are passionate about making the Internet more secure. To meet the intended purpose, there is a rigorous vetting procedure. Selected volunteers are part of a group that will have access to the data and tools that can really make a difference in the fight against online crime. Volunteers may take on any number of roles including but not limited to analyst, tool ma... read more»
RSA FraudAction Research Lab has uncovered the workings behind a recent re-shipping scam in which U.S. residents were used as mules to send goods purchased with stolen credit card numbers overseas. The operation began a year ago and received applications from more than 1,900 people, though only 33 people were "hired," according to an RSA FraudAction Research Lab blog post on Thursday.... read more»
Hackers are going to exploit the Window kernel bug, patched by Microsoft this week, sooner rather than later said security researchers. The bug is in the Windows kernel, the heart of the operating system. The kernel improperly parses Embedded OpenType (EOT) fonts, a compact form of fonts designed for use on web pages that can also be used in Microsoft Word and PowerPoint documents.... read more»
A 21-year-old man is in the Sumter County jail after authorities discovered images of child pornography on his computer following a routine cybercrime investigation. Anthony Enoch was arrested Tuesday morning by Attorney General's Tampa CyberCrime Task Force officers after a joint investigation by the CyberCrime Unit and the Sumter County Sheriff's Office.... read more»
U.S. companies, even small and medium size, are more and more exposed to cyber threats from organized crime, foreign intelligence services, and probably terrorist organizations; 85 percent of U.S. critical infrastructure is owned and operated by private companies -- and these companies are especially vulnerable to determined attacks which may ruin or seriously disrupt company operations.... read more»
A former Quebedeaux Pontiac employee was sentenced today to five years in prison after pleading guilty to bank fraud and aggravated identity theft. John Savage III,from Fort Lauderdale, Florida, moved to Tucson In October 2007 and took a job with the local dealership, where he had access to customer credit cards. He stole some reports and used information obtained from two credit card applications to obtain cell phone service.... read more»
A man who worked at a Florida resort received a time-served jail sentence for stealing the identities of more than 100 vacationers, including some from Collegeville and West Norriton, and using the credit card information to pay for his own trips. Carlos Raynard Roberts, 22, who worked as a booking agent at the Fountain Beach Resort in Daytona Beach, Fla., was sentenced in Montgomery County Court to one year and 11 days already served to 23 months in jail after he pleaded guilty to felony cha... read more»
While a number of trusted sources continually decry the vulnerabilities present in web applications, this vector remains the primary avenue of attack for cybercriminals, according to a WhiteHat Website Security Statistics Report released on Thursday. Despite metrics that substantiate the claims and any number of security best practices recommendations, many organizations, particularly those building custom web applications, are at risk, says the report, which measured data collected from Jan.... read more»
The hacking of a police website earlier this week is indicative of a lack of secure website development. Phil Neray, vice president of security strategy for Guardium, claimed that SQL injection is a big problem worldwide, and restricted budgets mean organisations are unable to hire the most sophisticated web developers, which results in security flaws like SQL injection.... read more»
Security researcher Laurent Graffie mocked Microsoft's Secure Development Lifecycle process in a blog post on Wednesday in which he published proof-of-concept exploit code that he claims can crash Windows 7 and Windows Server 2008 R2. "This bug is a real proof that SDL #FAIL," he wrote, adding "The bug is so noob it should have been spotted 2 years ago by the SDL if the SDL [had] ever existed." The vulnerability appears to reside in Microsoft's Windows Sever Message Block (SMB) software. ... read more»
Cybercriminals are using compromised Twitter accounts to spam out information-gathering websites to unknowing users. The attack starts with compromised Twitter accounts. The accounts are used to send out Direct Messages to the followers of the users who own the compromised accounts. The Direct Message—which is basically the Twitter counterpart of a private message—contains a link to what looks like an IQ test website: An IQ test may seem harmless but the last thing asked for in the test... read more»
The October malware charts - just released by Sunbelt Software - show that the password-stealing trojan threat Trojan-Spy.Win32.Zbot.gen maintained the top spot on the list for the seventh straight month and is growing at an alarming rate. See the chart click the following URL: http://www.sunbeltsoftware.com/malware-threat-report/... read more»
He was China's youngest Abbot in the Shaolin Temple – 22 when he ascended the throne. He was one of the first monks in China with an MBA. Now, he is in the spotlight again after hackers targeted the website established to promote Shaolin's shows and products worldwide. The hackers have posted a purported letter of confession on the site (shaolin.org. cn) in the name of the Abbot Shi Yongxin, who "admitted his guilt" in commercializing the temple generally considered as the cradle of China's t... read more»
Health and Human Services Department officials are looking for information technology solutions that comply with a key federal cybersecurity law while also allowing for exchange of federal health data with private entities, a senior health data exchange official said today. Currently, federal medical agencies that handle patient data must comply with the Federal Information Security Management Act. If they want to share that data, the recipients also may need to comply with FISMA, according t... read more»
The Forum for Incident Response and Security Team (FIRST) was established with the vision of providing access of best practices, tools and trusted communications among member incident response teams. The FIRST Technical Colloquium (TC) provides a discussion forum for FIRST member teams to share information about vulnerabilities, tools and other issues that affect the operation of the incident response and security teams. The FIRST TC is hosted by the members and takes place usually every qua... read more»
Organisations that lose individuals' data could face a fine of up to £500,000 under proposals being considered by the government. From next year, the privacy watchdog the Information Commissioner's Office (ICO) will be able to fine companies that recklessly or maliciously breach the Data Protection Act (DPA). The Ministry of Justice yesterday launched a public consultation on the maximum amount such fines can run to - a figure it proposes should be set at £500,000.... read more»
The fact that the vast majority of websites, including those considered most business critical, are riddled with vulnerabilities is common knowledge to regular readers of this report. Essentially, every other industry report available unanimously agrees Web applications represent the #1 avenue of attack. Unfortunately, what is not well-known is exactly what are the most efficient steps to measurably improve the security posture of an existing website, or one soon to be built. Ironically, there i... read more»
The US has said it "regrets" the jailing of Azerbaijani bloggers Adnan Hajizade and Emin Milli, on what human rights organisations consider a trumped-up charge of "hooliganism". The pair are described by Amnesty International as "well-known youth activists who have used online networking tools, including YouTube, Facebook and Twitter, to disseminate information about the socio-political situation in Azerbaijan".... read more»
Police are shutting websites without keeping any records, hampering government efforts to address online extremism, it's been revealed. The Terrorism Act 2006 granted powers for police to compel web hosts to shut down websites promoting terrorism. But the powers have never been used, and forces have instead persuaded providers to take down websites voluntarily, according to the security minister Lord West.... read more»
Over the past few years, the Internet has become a dangerous place. Initially designed to accommodate a relatively small number of users, it grew far behind anything its creators could have anticipated. There are currently over 1.5 billion Internet users and this number continues to increase as technology becomes even more affordable. Criminals have also noticed this trend and they soon realized that committing crimes over the Internet – now generally referred to as 'cybercrime' – has certain... read more»
The UK's new cyberwarfare unit will be ready for action on 10 March, according to the government. The Cyber Security Operations Centre (CSOC), located at GCHQ in Cheltenham, will have an initial staff of 19, said Baroness Crawley. CSOC will monitor the internet for threats to UK infrastrucutre and counter-attack when necessary. The staffing figure, released in response to a Parliamentary question, puts paid to recent hyperbole suggesting the intelligence agencies were recruiting a 50-strong "... read more»
The Electronic Payments Association has received reports that individuals and/or companies have received a fraudulent e-mail that has the appearance of having been sent from NACHA. See sample below. The subject line of the e-mail states: “Rejected ACH Transaction.” The e-mail includes a link which redirects the individual to a fake web page which appears like the NACHA Web site and contains a link which is almost certainly executable virus with malware. Do not click on the link. Both the e-ma... read more»
The extradition to the US of computer hacker Gary McKinnon should be halted owing to his "precarious state of mental health", MPs say. The Home Affairs Committee also said there was a "serious lack of equality" in US-UK extradition arrangements. But the Home Office said there was "no imbalance" and no need for a review.... read more»
More than half the 570,000 calls to the national Kids Helpline service are from NSW and many relate to school bullying, a government inquiry has found. The NSW upper house inquiry into bullying of children and young people released its final report yesterday, identifying an alarming rise in cyber bullying. The committee was critical of the State Government's failure to fund the Helpline service and a lack of co-ordination between state government department's and agencies in the implementatio... read more»
When 21-year-old Ashley Towns released the very first iPhone virus from his home in Wollongong a week ago he was not anticipating death threats, media interviews or job offers. But he says he got all three in one day after an audacious viral security “experiment” got out of hand, pushing Rick Astley's face onto hundreds of iPhone screens and making headlines around the world. It all began when Towns was downloading programs for writing iPhone applications.... read more»
Hackers can exploit a flaw in Adobe's Flash to compromise nearly every Web site that allows users to upload content, including Google's Gmail, then launch silent attacks on visitors to those sites, security researchers said today. Adobe did not dispute the researchers' claims, but said that Web designers and administrators have a responsibility to craft their applications and sites to prevent such attacks.... read more»
Britney Spears' Twitter profile was again seized by hackers on Thursday. Pop-savvy malefactors broke into her account to post a message apparently suggesting the troubled pop star had sold her body and soul to Satan in the hopes of speeding up the apocalypse. The tactics employed by the hack are unclear but illustrate that verified accounts might offer a mechanism to prevent naughty nonentities posing as celebs, but aren't much defence against hackers hijacking profiles.... read more»
I was checking my personal Twitter feed today and saw friends posting how long they’ve been tweeting along with a link. The tweet looked something like this: “Tweeting for # years, # months, # weeks, # day, # hours, # minutes # seconds (MM DD, YYYY) How about you? Being curious, I decided to investigate the link. The first thing it does is ask for your screen name and shows a bunch of ads of “How to get more Twitter followers”. Ok, not the best ads, but moving on. You enter the s... read more»
In all geographic regions, we have observed that external breaches have fallen sharply over the past 12 months. This is not due to hackers giving up and finding other avenues to pursue but rather to the fact that organizations are getting more security-savvy, being less reactive more proactive. We have said that hacker's methods are getting more sophisticated - the same is true of the technology designed to thwart them.... read more»
(from information-security-resources at 13-11-2009)
The ISA will release a new cybersecurity report, which proposes frameworks for taking key issues in the Obama Administration’s “Cyberspace Policy Review” document to the next level, in an effort to achieve tangible progress. The report will include frameworks for creating a new, practical model for information sharing; addressing the international nature of cybersecurity issues; developing a market for adopting good security standards and practices; building a highly educated digital workforc... read more»
The only IT conference that focuses on real-world solutions that you can use now, for the technologies you already have as well as for those that are just around the corner. There are no corporate shills trying to sell you products that aren’t available, and no time is spent "teaching" you technologies that don't exist yet. You'll learn from the real gurus who are in the trenches, the authors, columnists, bloggers, and instructors that continue to make TechMentor one of the most technically powe... read more»
There are nearly half a million ATMs in the U.S. Most are affiliated with reputable banks and monitored daily. But we discovered that anyone can get into the cash dispensing business. There are no regulations in the U.S. on who can own or operate an ATM. “I can go right on craigslist or ebay and just type in ATM, and instantly you’re going to find companies’ ATM machines,” says Boston area identity theft expert Robert Siciliano. He shows us dozens of new and used ATMs for sale online all over... read more»
(from information-security-resources at 13-11-2009)
Congress is still considering the Informed P2P User Act, a law that would supposedly make it safer to use peer-to-peer file sharing software, an effort that is similar to banning mosquitoes from sucking blood. It just isn’t happening. The only foolproof way to prevent accidental data leaks via file sharing programs is for IT administrators to lock down networks and prevent the installation of rogue software. Congress suffered another embarrassing P2P breach recently, after a confidentia... read more»
The popular social media service Twitter is being targeted by a new attack seeking access to user accounts to send spam via direct messages. At first, the attack was thought to be the result of “phishing” or social engineering asking people to enter their username and password details into bogus sites masquerading as Twitter’s website, possibly done by utilising a cross-scripting vulnerability. However, New York-based PHP and application security specialist Chris Shiflett says that he stro... read more»
The CIA and other intelligence agencies have long been interested in the Society for Worldwide Interbank Financial Telecomminications, or SWIFT. The Society, headquartered in Belgium, is the primary system used for international, and some national, bank transfers. Whoever controls SWIFT has access to the full details of millions of yearly bank transfers, including, banks, time, names, amount and account numbers. Since 2002 the US government entered into a secret agreement to acquire SWIFT record... read more»
Companies that suffer serious data breaches could be fined up to £500,000 under government plans announced this week. On Monday, the Ministry of Justice launched a consultation over levels of monetary penalties for breaches of the Data Protection Act. In a press statement, justice minister Michael Wills said the powers of the body that enforces the act, the Information Commissioner's Office, needed to be strengthened. 'The government is committed to ensuring that personal data is handled a... read more»
Kessler International, the world's preeminent global computer forensics, investigative, forensic accounting and consultancy firm, today announced the results of a study which revealed that nearly 25% of the pre-owned PDAs purchased on eBay still held highly sensitive corporate data and embarrassing personal information about their previous owners. Members of Kessler's cellular forensics team randomly selected eBay merchants selling second-hand Blackberries and Palm PDAs and purchased a total ... read more»
A researcher is working on a solution for penetration testers that's a first step toward ultimately integrating and correlating data among different types of penetration-testing products. Josh Abraham, a.k.a. "Jabra," will release some proof-of-concept tools tomorrow at the OWASP AppSec Conference in Washington, D.C., that let pen testers integrate data they gather in their white-hat hacking projects. "This is a step in the right direction. We haven't even had the ability to extract that i... read more»
The website for Bulgaria's Chief Directorate for Combating Organised Crime (CDCOC) was briefly hacked on November 12. Instead of the site's homepage, a red background with four skulls, surrounded by slain dragons and the text "HacK3D by tAn1A. With loVe from Russia. iT's WaR," appeared, Bulgarian daily Trud said. Within 15 minutes the original page had been restored, Trud said.... read more»
WhiteHat Security released a report assembled from real-world website security data, is a high-level perspective on major website security issues that continue to compromise corporate data across all industries. The report contains data collected between January 1, 2006 and October 1, 2009, and finds that the percentage of high, critical or urgent issues continue to slowly increase. 83 percent of websites have had a high, critical or urgent issue over their lifetime and 64 percent of websites... read more»
Georgia Tech researchers have received a $450,000 NSF grant to boost security of iPhones, BlackBerries and other smartphones and the wireless networks on which they run. And it’s those networks where the researchers are really zeroing in. The researchers are looking into ways wireless carriers such as AT&T and Verizon can detect malware on devices and clean up the devices before they do further damage. "While a single user might realize that a phone is behaving differently, that person pro... read more»
Cyberterrorism might mean different things to different people, but one thing is certain – it needs to be taken incredibly seriously. What are we dealing with? How can we defend our nation? How will cyberterrorists of the future look to attack? The (ISC)2 US Government Advisory Board Executive Writers Bureau answers these questions One of the key challenges of understanding ‘cyberterrorism’ is defining exactly what the term means. The term has been used in the past to refer to known terrorist... read more»
Spam has been detected as being sent from the ZeuS botnet that prompts users to update their MySpace account. Trend Micro senior security advisor Rik Ferguson claimed that the spam is similar to the Facebook related spam seen last week, with the user ‘required to update' their MySpace account with a link provided. Ferguson said: “The link in the mail leads to a standard fake MySpace login page, so of course your account details are stolen. Once you have ‘logged in' though, the supposed ‘My... read more»
Techcrunch has done an interesting story about the businesses that came up with the big popular social games: things like Farmville, Pet Society and Mobsters. The three companies that behind these and other social games -- Zynga, Playfish and Playdom -- have about 100 million subscribers and are making $300 million per year just from the sale of virtual goods. Making money is great, but there are some referral schemes that they offer that can get you hooked into services that will cost more t... read more»
According to security researchers, SoftBarrier, the latest development of the hackers from Winisoft, also known as WiniGuard, appears to be one of the biggest roguewares in the Internet world, as reported by WindowsXP/VistaBlog on October 28, 2009. Reportedly, Winisoft is the creator of rogueware family. Experts told that like most fake anti-spyware application, SoftBarrier enters the system through different Trojans. It promptly sneaks into the user's system and configure Windows Registry. T... read more»
A well known commercial provider of spyware applications for numerous mobile platforms, has recently ported its Mobile Spy app to the Android mobile OS. Just like previous releases of the application, the Android version keeps a detailed log of GPS locations, calls, visited URLs, and incoming/outgoing SMS messages, available at the disposal of the attacker who installed it manually by obtaining physical access to the targeted device. Despite the company’s positioning as a vendor offering t... read more»
Hello all, Our next XCCDF developer teleconference will be on Thursday, November 19 at 3:00 ET. Dial-in information is below along with a web conference link (the latter which I primarily use to show references to relevant documents or proposals). The purpose of this discussion will be to review the three outstanding XCCDF proposals (binding Rules to checks with version information, binding Rules to check-files with signatures/hashes, and updates to XCCDF Values to allow for more c... read more»
A test case fought by the Electronic Frontier Foundation (EFF) has shown the extent to which the US government is willing to bend the law in its quest for data it wants. Indymedia is a news aggregator for left-wing and libertarian writers and on 30 January one of its volunteer administrators Kristina Clair received a grand jury subpoena from the Southern District of Indiana federal court.... read more»
Cloud computing, the ubiquity of mobile devices and the necessity of sharing real-time business information with multiple partners, business units and customers has created gaping security holes in enterprise IP networks, according to a new study by IT research firm Yankee Group.... read more»
The number of security flaws being found in Web applications continues to grow and will likely dominate the security agenda for years to come, according to a report by application security vendor Cenzic. Almost 80 percent of more than 3,000 software security flaws publicly reported so far this year have been in Web technologies such as Web servers, applications, plugins, and Web browsers. That number is about 10 percent higher than the number of flaws reported in the same period last year -- ... read more»
Researchers at the University of Pennsylvania say they've discovered a way to circumvent the networking technology used by law enforcement to tap phone lines in the U.S. The flaws they've found "represent a serious threat to the accuracy and completeness of wiretap records used for both criminal investigation and as evidence in trial," the researchers say in their paper, set to be presented Thursday at a computer security conference in Chicago.... read more»
Many of us know about the U.S. federal law regulating spam, known as the CAN-SPAM Act (or at least we think we do). But what about the laws internationally? First: a disclaimer: IANAL (I am not a lawyer). If you use this blog post as a substitute for legal advice, you're probably not thinking straight! That said, here are a few notable international spam laws... read more»
The Information Commissioner's Office (ICO) today warned data controllers that it would soon be taking tougher action to curb what it called unacceptably high levels of data theft. Speaking at an event for data controllers, deputy information commissioner David Smith said that of 711 reports about security breaches sent to the ICO in the past two years, 231 were related to theft. Smith urged firms to tighten up their security measures and practices, warning them that failure to do so would... read more»
Palo Alto Networks of Sunnyvale, Calif., issued its Fall, 2009, Application Usage and Risk Report (“An Analysis of End User Application Trends in the Enterprise”), analyzing traffic patterns on more than 200 worldwide networks. The Palo Alto researchers document massive growth in social networking and collaborative applications for business since their last report in April. The use of blogs and wikis increased 39 times with total bandwidth use for those two activities increasing 48 times. ... read more»
THE NSW government plans to create three new identity offences - trafficking in identity data, possession with intent to commit a crime, and possession of equipment for the purpose of identity theft - in an overhaul of the state's Crimes Act. The new laws will apply to offences committed offline and online. The most serious offence, trafficking - the sale or use of personal identification information - will carry a penalty up of to 10 years in jail, while the penalties for possession of in... read more»
Bloomsburg University of Pennsylvania is notifying current and former students who were enrolled in psychology professor Julie Kontos' classes from spring 2004 through the summer of 2006 about the possible loss of their social security numbers when a laptop was stolen from a campus office. On Nov. 1, several computers and small digital devices were stolen from offices in BU's Centennial Hall. One of the devices is a laptop computer owned by the psychology department for the use by Kontos, int... read more»
Cyber security superstar Ankit Fadia warned on Wednesday that Pakistani cyber criminals break into more than 50 Indian websites per day. At a press conference, Fadia said the attacks have occurred almost non-stop since 2001. Despite being the IT capital of the world, India lags far behind in cyber security, he said. Fadia, who at 23, has risen to the forefront of the Internet security community, shared his research into the cutting-edge techniques hackers employ today. In particular, he ident... read more»
You don't have to look hard to find examples of public and private organizations that have been hacked by viruses and harmful worms - a quick Internet search will turn up plenty. The Charlotte Observer in North Carolina reported on Sept. 25, 2009, that 236,000 records at the University of North Carolina at Chapel Hill were compromised by virus activity. The data was from the Carolina Mammography Registry and was being used for a university research project. The intrusion was detected in July,... read more»
About 40 to 50 Indian websites, including those belonging to sensitive government agencies and corporate bodies, are being hacked or defaced by Pakistani cyber criminals every month, according to the prodigious 18-year-old 'ethical hacker' Ankit Fadia. Fadia, who has given consultancy services to a string of intelligence agencies, defence departments, government and private organisations including FBI and CBI, said he had recently submitted a '25-page white paper' to the government detailing ... read more»
Cyber security is widely recognized as a rapidly growing field, and is in need of new talent to lead the critical function into the future. The Naval Postgraduate School and National Science Foundation have long recognized the need for cyber security expertise, and have been strong participants in educating and administering the government's Federal Cyber Corps - a Scholarship for Service (SFS) program where students are awarded a free Master's degree, with a cash stipend included, in exchang... read more»
Yeah, I know, this is another one of those "everything changes" moments where we're prodded into frenzied activity--as opposed to effective action--because an emerging technology has surged ahead of our ability to properly manage it. It's interesting to note that cloud security holes result not from any inherent shortcomings of the technology itself, but rather from its inherently greater exposure. Namely, it's visible on the Internet.... read more»
Today’s Washington Post shows how aggressive the Chinese have been in probing US systems and interests. There have been reports in the past that the Chinese have trained North Koreans in advanced hacking techniques. South Korea and the US experienced DDoS attacks last summer that originated in North Korea. There have also been numerous reports about repeated hacks and probes into US government networks with many of them being successful in extracting sensitive information.... read more»
Global Internet advertising slipped for the third straight period in the third quarter, but the rate of decline is leveling off, indicating that the sector could be poised to return to growth early next year, according to research firm IDC. The firm reported online ad spending of $14.6 billion in the period, down 1 percent from the $14.7 billion it reported in the third quarter of 2008. U.S. spending contracted more sharply, down 4 percent from the year-earlier period, dropping from $6.6 b... read more»
Brad Haines believes the Internet would be a much safer place if big companies would stop hiring people based on fancy credentials, expensive university educations and clean-cut appearances. "The right people are not getting into the right places," Mr. Haines warned delegates at an Ottawa conference this month, saying that the world's best and brightest computer security minds are being ignored because they don't look or act like traditional business people.... read more»
Hackers will quickly jump on one of the 15 vulnerabilities Microsoft patched Tuesday to build attack code that infects Internet Explorer users, security researchers agreed today. The bug, which Microsoft patched as part of a record-tying security update for the month of November, is in the Windows kernel, the heart of the operating system. The kernel improperly parses Embedded OpenType (EOT) fonts, a compact form of fonts designed for use on Web pages that can also be used in Microsoft Word a... read more»
The key thing to remember when dealing with insiders is that they have access and in most cases will exploit the weakest link that gives them the greatest chance of access, while minimizing the chances that they get caught. Why try to break through a firewall and gain access to a system with a private address, when you can find someone behind the firewall with full access to the system? I know it has been emphasized many times, but taking advantage of access is a driving force in the insider att... read more»
Researchers at the University of Pennsylvania say they've discovered a way to circumvent the networking technology used by law enforcement to tap phone lines in the U.S. The flaws they've found "represent a serious threat to the accuracy and completeness of wiretap records used for both criminal investigation and as evidence in trial," the researchers say in their paper, set to be presented Thursday at a computer security conference in Chicago.... read more»
Websense, today released the most recent video report covering Web threat activity for October 2009. The video supplement to the monthly “This Month in the Threat Webscape” report presents an informative recap of the most pressing Web, email and data security challenges for the month.... read more»
Of all the sinister things that internet viruses do, this might be the worst: they can make people an unsuspecting collector of child pornography. Heinous pictures and videos can be deposited on computers by viruses - the malicious programs better known for swiping your credit card numbers. In this twist, it's your reputation that's stolen. Pedophiles can exploit virus-infected PCs to remotely store and view their stash without fear they'll get caught. Pranksters or someone trying to frame yo... read more»
One year ago today email administrators were astonished to notice the amount of spam hitting their mail servers had plunged precipitously. Email volumes dropped off as much as 60 percent to 70 percent, and the reason wasn’t immediately obvious to anyone except for the folks who knew that McColo, a major spam-hosting ISP had been taken offline. Three of the largest spam-sending botnets at the time–Rustock, Srizbi, and Mega-D–had command and control machines hosted at McColo and were drastically a... read more»
Drive-by exploit writers have been spotted using a popular Twitter command to send web surfers to malicious sites, a technique that helps conceal the devious deed. The microblogging site makes application programming interfaces (APIs) such as this one available so legitimate websites can easily plug into the top topics being tweeted. As the concerns and opinions of Twitter users change over time, so too will the so-called top 30 trending topics.... read more»
Hackers are plundering personal data from jailbroken iPhones using the tactic demonstrated last week by an Australian programmer's self-described "prank," researchers said today. The new malware, dubbed "iPhone/Privacy.A" by Austin, Tex.-based security vendor Intego, uses the same approach as last week's "ikee" worm to silently snatch control of some iPhones. The attack code then steals a wide variety of personal information from the hijacked iPhone, including e-mail messages, names from the ... read more»
The Health Information Technology for Economic and Clinical Health (HITECH) Act extends certain HIPAA security and privacy requirements, as well as sets the stage for increased enforcement. Covered entities and business associates should act now to comply in a defensible manner.... read more»
An increase in competition among cybercriminals in recent months has significantly decreased the cost of hacking tools and services, making it cheaper for cybercriminals to launch attacks. For example, the price of Distributed Denial of Service (DDoS) attack services has fallen from thousands of dollars a day a few years ago to as little as thirty dollars a day. Similarly, fees for stolen credit card numbers and other sensitive information sold in underground markets have fallen. Web and emai... read more»
Cloud computing, the ubiquity of mobile devices and the necessity of sharing real-time business information with multiple partners, business units and customers has created gaping security holes in enterprise IP networks, according to a new study by IT research firm Yankee Group. In its whitepaper titled "IP Network Configuration and Vulnerabilities: What You Don't Know Can Hurt You," senior analyst Phil Hochmuth asserts that the one of the biggest obstacles facing large companies today is ma... read more»
Georgia Tech researchers have received a $450,000 NSF grant to boost security of iPhones, BlackBerries and other smartphones and the wireless networks on which they run. And it’s those networks where the researchers are really zeroing in. The researchers are looking into ways wireless carriers such as AT&T and Verizon can detect malware on devices and clean up the devices before they do further damage. "While a single user might realize that a phone is behaving differently, that person pr... read more»
Results from a new survey suggest IT professionals must be constantly vigilant in watching for employee reprisals against company systems, thanks to the uncertain economy and, in some cases, multiple rounds of layoffs. The 12th annual Ernst & Young Global Information Security Survey of nearly 1,900 senior executives found that 75% of respondents were concerned with the possibility of reprisal from employees who have left their organizations. While many of those surveyed were concerned about m... read more»
If you are in need of finding out if there is ammonia, chlorine gas or methane in the air around you, there’s an iPhone app for that. A researcher at NASA's Ames Research Center has developed what NASA calls a proof of concept of new technology that would bring compact, low-cost, low-power, high-speed nanosensor-based chemical sensing capabilities to cell phones. The device NASA researcher Jing Li developed is about the size of a postage stamp and fits in the iPhone to collect, process and tr... read more»
The four men whom a federal grand jury indicted this week for their alleged roles in a scam that stole millions of dollars from RBS WorldPay were no fools. The small crew of hackers had a distinct division of labor, operated with skill and efficiency and left one of the world's larger banks holding the bag. Viktor Pleshchuk, Sergei Tsurikov, Oleg Covelin and a fourth man, identified only as "Hacker 3," pooled their talents, and with the help of a worldwide network of "cashers" in more than 28... read more»
Project Information About this project: This is the Cross Site Scripting Anonymous Browser project ("xab") This project was registered on SourceForge.net on Mar 17, 2009, and is described by the project team as follows: Cross Site Scripting Anonymous Browser (XAB) leverages web sites and client browsers to build a network of drones. It is not to replace the current anonymous browsing applications, but provides an alternative that does not require willing participants.... read more»
Baltimore police are investigating a security breach at Mercy Medical Center that left an undisclosed number of patient records open to possible identity theft, according to the Maryland attorney general's office. The hospital's vice president for corporate compliance sent a letter to the affected former patients on Monday, saying that a former employee might have gained access to patient records in order to apply for credit cards and loans. A spokesman for the attorney general's office sa... read more»
How do you know if your online activities are secure, or if trouble is lurking around the corner? IEEE has brought together its security expert members to evaluate the most substantial threats to personal information, and to advise the public on how to best protect against security compromises online. All of the IEEE security experts polled cited malicious software, referred to as malware, and botnets, a group of automatic robots that infect a group of computers, as the chief security concern... read more»
Addressing the press conference Ankit Fadia spoke on various issues concerning Cyber Security in India. Speaking about Cyber security issues India is facing today he said Pakistani cyber criminals are able to deface 50 to 60 Indian websites a day, but, in retaliation only 10 to 15 Pakistani websites are defaced. And this has been going on since 2001. Nodoubt, India is IT capital of the world, but, as far as security is concerned India is far lagging behind, informed Ankit. Speaking further he... read more»
CDW Government released its 2009 Federal Cybersecurity Report, which found that across Federal civilian and Department of Defense agencies, the number and severity of cybersecurity incidents has stayed the same or increased in the last year, with nearly one-third of Federal agencies experiencing a cybersecurity incident daily. The report, based on a September survey of 300 Federal IT security professionals, identifies agency cybersecurity threats, steps Federal IT professionals are taking to ... read more»
Researchers at Georgia Tech are developing tools for cleaning up mobile phones infected with malware remotely over the mobile network -- an approach that would ultimately give wireless providers a less intrusive method of restoring compromised smartphones. The National Science Foundation recently awarded the Georgia Tech College of Computing a three-year, $450,000 grant for the project to develop tools to advance the security of mobile devices and their networks.... read more»
(from information-security-resources at 11-11-2009)
Traditionally, malware has tended to originate mainly from countries like Brazil and America, with other nations such as Korea and India joining them in the top 10 malware charts in recent years. However, October’s threat stats reveal that the level of malware originating from the top 10 is decreasing. Unfortunately, rather than an overall decrease in spam and virus levels, this only means that the sources of malware are starting to spread to other nations.... read more»
Who the heck am I? Am I shopper-Bill, flyer-Bill, reader-Bill, buyer-Bill, potrero-Bill, or this that and the other Bill on the 30 or more sites that comprise my online life? And which of my many passwords do I need right now? If you spend much time online, you probably have the same problem I do: How to remember your ever-growing list of online usernames and passwords-and stay secure at the same time.... read more»
Web application security provider, Cenzic, has released its report detailing the most common types of Web application vulnerabilities for the first half of 2009. The report identified over 3,100 total vulnerabilities, which is a 10 percent increase in Web application vulnerabilities compared to the second half of 2008. Popular vendors including Sun, IBM, and Apache continue to be among the top 10 most vulnerable Web applications named. The most common published exploits on commercial app... read more»
On Monday, the security blog at Arbor Networks reported finding a bit of malware that checked in with a remote account to download some URLs. On its own, this is hardly a newsworthy event; botnets have used all sorts of communications protocols to receive updated code and information. What makes this discovery distinct is that the code that was feeding URLs to the botnet was running on Google's AppEngine platform.... read more»
The Department of the Interior inspector general has issued a report that's sharply critical of the agency's cybersecurity performance, concluding that its efforts fall short of federal government requirements. The recently issued report points to broad problems at the agency, from a decentralized IT organization to "fragmented governance processes." It says that the agency has "substantially under-qualified" cybersecurity personnel and that its IT leadership hasn't been as involved in cybers... read more»
The Internet may be 40 years old, but one of the most infamous aspects of both the Web and personal computing in general is quite a bit younger. It was 26 years ago when the first known proof of concept code for a computer virus was demonstrated in a public venue, following up on theories and other attempts to produce self-replicating code. The first official "virus" was born then, giving way to a fundamental change in computer security.... read more»
The number of security flaws being found in Web applications continues to grow and will likely dominate the security agenda for years to come, according to a report by application security vendor Cenzic Inc. Almost 80% of more than 3,000 software security flaws publicly reported so far this year have been in Web technologies such as Web servers, applications, plugins and Web browsers. That number is about 10% higher than the number of flaws reported in the same period last year -- and nine ou... read more»
The federal government paid out $751,750 to avoid a class action lawsuit after personal information was stolen from a Canada Revenue Agency office. The theft of six computers from the Tax Services Office in Laval, Que., on Sept. 4, 2003, jeopardized the personal information of 120,000 people. "The purpose of the settlement was to compensate for the inconvenience caused to the class action members who took certain steps to limit the risk of their information being used without their consent... read more»
A law that demands consent to internet cookies has been approved and will be in force across the EU within 18 months. It is so breathtakingly stupid that the normally law-abiding business may be tempted to bend the rules to breaking point. The fate of Europe's cookie law became improbably entwined with a debate over file-sharing. To cut a long story short, it broke free. On 26th October, it was voted through by the Council of the EU. It cannot be stopped and awaits only the rubber-stamp forma... read more»
Eight Eastern Europeans have been indicted in connection with the hacking of payment services provider RBS WorldPay, which netted the defendants a $9 million windfall, prosecutors said Tuesday. Sergei Tsurikov, 25, of Tallinn, Estonia; Viktor Pleshchuk, 28, of St. Petersburg, Russia; Oleg Covelin, 28, of Chisinau, Moldova and an unnamed person known as "Hacker 3" each were charged by a federal grand jury in Atlanta in 16-count indictments alleging wire fraud, conspiracy to commit wire fraud, ... read more»
A leading security expert has warned that UK organisations need to focus more security efforts on behavioural monitoring of employees, or risk failing on data security and falling behind on the global stage. Stuart Okin, former chief security advisor of Microsoft and now UK MD of consultancy Comsec, said the current information overload facing firms means they cannot afford to take a reactive approach.... read more»
A new survey from web content management firm SDL Tridion suggests consumers are happy to surrender to big brother-style behaviour tracking, so long as they are rewarded with special offers and increased personalisation in return. SDL spoke to some 1,000 UK shoppers and found that a vast majority – 74 per cent – "valued" loyalty schemes that offered discounts based on their personal shopping habits.... read more»
One day in late summer 2008, FBI and Secret Service agents flew to Chicago to inform Barack Obama's campaign team that its computer system had been hacked. "You've got a problem. Somebody's trying to get inside your systems," an FBI agent told the team, according to a source familiar with the incident. The McCain campaign was hit with a similar attack.... read more»
An organization's security has a lot to do with its e-mail system, a top security official at Microsoft suggested. "Messaging is fraught with a lot of challenges," said J.G. Chirapurath, Microsoft's senior director for identity and security, in a phone interview. "It comes down to the integrity of the information and who is seeing it. It's all about secure messaging because when you examine the world we live in, e-mail really is the biggest attack vector, as well as the biggest leak vector."... read more»
A young Australian web designer has become the first person to create a virus for Apple's wildly popular iPhone. The worm, known as Ikee, changes the device's wallpaper to a picture of '80s singer Rick Astley with the words "Ikee is never gonna give you up" — a reference to Astley's biggest chart hit — before trying to spread to other devices.... read more»
Reprisals from recently departed employees and a lack of adequate security budgets and resources are becoming major concerns for senior IT professionals, according to the 12th annual Ernst & Young Global Information Security Survey. The survey, which canvassed nearly 1,900 senior executives in more than 60 countries, shows that 75% of respondents are concerned with the possible reprisal from employees who have left their organizations. Furthermore, 42% of respondents are already trying to und... read more»
Human error is to blame for the accidental exposure last week of more than 4,500 Chaminade University student's Social Security numbers on the private Catholic college's official Web site. University officials discovered the snafu Wednesday and quickly removed the obscure but accessible links from the Web site. The students' Social Security numbers were exposed for about eight months, according to a statement released by the Honolulu-based university, and thus far there is no evidence that... read more»
The FBI, the intelligence folks, and the counter-intelligence folks all know the threats that corporate America is under from both foreign intelligence services and global organized crime, but you probably don't. These combined communities do a commendable job understanding potential threats to your information systems, ranging from corporate espionage, insider threats, organized crime, theft of property, and even foreign government attacks. But what they haven't yet mastered is how to best us... read more»
Scientists are set to unveil a lightweight system they say makes an operating system significantly more resistant to rootkits without degrading its performance. The hypervisor-based system is dubbed HookSafe, and it works by relocating kernel hooks in a guest OS to a dedicated page-aligned memory space that's tightly locked down. The researchers, from Microsoft and the computer science department at North Carolina State University, plan to present their findings Thursday at the 16th ACM Confe... read more»
Only one in seven people in the UK view checking that they are buying from a trusted website as a priority when shopping online, according to a recent poll. The survey, conducted by PayPal, found that this was in comparison to three-quarters of shoppers who were solely intent on finding the best deals. Over 37 million people in Britain will be doing some or all of their Christmas shopping online this year, according to PayPal.In accordance with this, the internet pay site has published a lis... read more»
Only a quarter of UK organisations feel able to respond effectively to a data breach, despite the fact that they experience on average 1.5 data breaches every year, according to a survey from computer forensics firm Kroll Ontrack. And while 56 per cent of respondents have conducted a vulnerability assessment in the past 12 months, only 25 per cent are confident in their incident response.In addition, 15 per cent of companies believe their responses to data breaches are not effective at all.... read more»
(from Center for Democracy And Technology at 11-11-2009)
Last week, I attended the 31st International Conference of Data Protection and Privacy Commissioners in Madrid. Government data privacy officials representing 46 countries were there, as well as hundreds of lawyers, corporate privacy officers and advocates from around the globe.... read more»
A story recently surfaced saying malware could plant child porn on innocent people's computers without their knowledge. Just how real is this threat? And how can you keep it from happening to you? Being accused of possessing child pornography can ruin people's reputations, confront them with overwhelming legal bills and, if convicted, and deprive them of their freedom for years if sentenced to prison time, and perhaps for life, if they're required to register as sex offenders.... read more»
For the last several months, some of the folks at Comcast have been working on a draft IETF document to inform ISPs about the role they can play in remediating bots on their customers’ computers. This is a tricky challenge: on one hand, ISPs are in a great position to detect bot activity, notify their customers, and potentially even block traffic. On the other hand, customers and net neutrality advocates don’t want ISPs mucking around with customers’ Internet use.... read more»
The Treasury Department wants more than $500,000 to comply with a Freedom of Information Act request, a fee an attorney on the case suggested Tuesday might be one of the largest bills of its kind. “I have not seen one that has been larger,” said Noah Wood, a Missouri attorney suing the government to comply with his nearly four-year-old FOIA request. The Treasury Department, Wood said, is “downright telling us where we can stick it.”... read more»
A leak at a third-party service provider may have caused a compromise of employee and customer data at insurance giant MassMutual, the company says.According to news reports, former employees are being notified of a breach that may affect the personal information of family members, as well. "MassMutual can confirm that, despite comprehensive procedures and diligent practices to protect confidential and private data concerning employees at MassMutual and several of its subsidiaries, a limited ... read more»
This month in the world of Web security saw prominent Web sites like UK's Guardian's Web site hacked, a case of malvertising on Gawker Media's sites (parent company of Lifehacker, Gizmodo), and more Facebook apps that continue to infect users. As the incidents below will testify, social-engineering traps continue to proliferate (because they work).... read more»
The cyclone over the Arabian Sea Wednesday was “likely to intensify further” and cross the Indian coast between north Maharashtra and south Gujarat in the early hours of Thursday, says the India Meteorological Department (IMD). Now named Phyan, the cyclone was about 250 km directly west of Goa at 2.30 a.m. Thursday, the IMD said on its website, even as it it issued an “orange” alert. That is one step below the red alert put out for a really severe cyclone.... read more»
Nearly one-third of federal agencies experience a cybersecurity incident daily, according to a new survey by CDW Government, Inc. The report, based on a September survey of 300 federal IT security professionals, underscores the seriousness of threats against every government agency. The number and severity of cybersecurity incidents stayed the same or increased in the last year, according to the survey. "Fundamentally, cybersecurity is not just a technology issue--it is a management and cultu... read more»
In China, Google is forced to censor its search engine, Facebook and Twitter are blocked, U.S. news agencies are barred from selling their services freely, and foreign investment in the media industry is closely watched. Yet when President Obama visits the country in a few days, it's unknown if he will publicly pressure the Chinese government on issues of censorship or free expression. The president yesterday defended his position on these issues, saying, "We believe in the values of freedom ... read more»
High profile data breaches have dominated the news and give the perception that hackers only target large corporations. The reality is that cyber criminals are increasingly targeting small businesses because it’s perceived that small businesses don’t have the know-how, security technology and motivation to secure their computers and data, making them easier targets. 1) Cyber security incidents can cause real losses small businesses can’t afford. Cyber criminals and hackers cost businesses re... read more»
A leading security expert has warned of widespread data theft as more and more organisations move their information into the cloud, and urged firms to consider data encryption by key management as the only viable way to mitigate this risk. Speaking to VNU as part of its Information Overload Summit, Dave Rand, chief technology officer of Trend Micro, argued that IT teams want to move to cloud computing because of the cost savings, but are put off by the lack of data protection assurance offere... read more»
More than half of federal information technology professionals fight cybersecurity battles at least weekly, survey results released on Tuesday indicate. Thirty-one percent of defense and civilian technology officials experience incidents daily, according to the September survey conducted by marketing firm O'Keefe and Co. on behalf of IT solutions provider CDW-G. Breaches included external attacks, viruses, lost handheld devices and employee violations of cybersecurity policy.... read more»
While surveys about security usually end up telling us about how bad people feel, a global survey released Tuesday indicates there's substantially less anxiety about Internet security, personal safety and national security than there was six months ago. Concerns over security in everything from online shopping and banking to safety from computer viruses, as well as national security along with personal and financial security, were significantly down over what was recorded half a year ago for ... read more»
A former employee broke into a Woodbury financial services company, photocopied customers' Social Security numbers and bank reference numbers and took the photocopied data with him when he left, Nassau police said Tuesday. Christopher Pemberton, 31, was arrested Monday and charged with burglary. He had worked at Obsidian for six days in October, then used the front door key code to enter the building a bit before 9 p.m. on a Friday evening, Oct. 16, police said. A message left on voice... read more»
A computer security company known for battling botnets moved last week to try to shut down a persistent spam player. FireEye, a California company that makes security appliances, had been tracking a botnet called Mega-D or Ozdok. Mega-D, which is a network of hacked computers, has been responsible for sending more than 4 percent of the world's spam, according to M86 Security. Many of the computers that make up Mega-D are infected home PCs. Mega-D is one of several botnets that have impleme... read more»
I've been amongst the few people that have attended both the IGF and ICANN meetings and my understanding of issues pertaining to Internet Governance have been enlightened to a great extent. After participating in the IGF Open Consultations twice, the WSIS Forum and the 12th Session of the Commission on Science and Technology, United Nations, I felt a strong need to see with my own eyes and participate with what goes on in ICANN to explore what all the rhetoric has been about. Interestingly, cons... read more»
The current economic environment puts companies at a higher risk for technology threats from newly laid-off workers, and the situation is exacerbated by a lack of resources available to put in place safeguards, a report said Monday. An annual information-security survey by Ernst & Young, a global business advisory firm, showed 75% of companies are concerned about former employees participating in some kind of technology-related sabotage against them. As well, 41% reported an increase in exter... read more»
US retailers rack up around $100 billion in identity fraud losses every year, absorbing nearly 10 times the cost incurred by financial institutions, according to a study from LexisNexis and Javelin Strategy & Research. LexisNexis, which surveyed retailers and consumers for the research, says that when factoring in the additional cost of lost and stolen merchandise, merchants lose $191 billion to fraud every year. Merchant fraud losses amount to more than 20 times the total value lost by consu... read more»
Hundreds if not thousands of Facebook groups were usurped this week by an organization calling itself Control Your Info, renaming the groups "Control Your Info" and posting a message warning users of the very security vulnerability that allowed it to take control of the group. Unlike previous Facebook phishing and spyware attacks, this group claims its intentions are noble and promises to relinquish control of the commandeered group pages sometime next week. "Hello, we hereby announce that... read more»
Nearly one-third of federal agencies confront cyber threats every day, with many of the vulnerabilities stemming from foreign attacks and lax internal policies and employee habits, according to a study released today by IT contractor CDW-G. In its polling of 300 cybersecurity professionals across military and civilian federal agencies, CDW-G found that the threat rate had either held steady or increased over the past year. Many respondents said their budgets were stretched too thin to esta... read more»
US armstech mammoth Raytheon has announced that its "government insider threat management solution" for information security will be powered by Linux. Penguin-inside crypto modules to be used in Raytheon's mole-buster tech have now passed tough federal security validation, apparently. The insider-threat detector gear in question is Raytheon's SureView, designed to root out the whole spectrum of security no-nos from "accidental data leaks" through "well-intentioned but inappropriate policy vio... read more»
Mashable reports that anyone can hijack a group on Facebook just by joining the group and registering as an administrator after the real admin has left. The group is then at the mercy of the "illegal" admin, who can change the name, edit the information, the picture, send messages to members - in short, he can abuse the acquired "power" by putting up offensive stuff. There was a Facebook group by the name Control Your Info, whose members were going around and hijacking groups to try to raise ... read more»
A BBC page has been detected as being at risk to cross site scripting (XSS). ProCheckUp has published a vulnerability showing that the Betsie (BBC education text to speech internet enhancer) page is vulnerable to XSS with the ability to inject malicious characters into the requested path. Additionally, Betsie discloses the webroot when the parser.pl program is called without any parameters.... read more»
The notorious Koobface malware has started using Google's Reader service to spread further. Researchers say that the new attack uses spammed messages that send users to the compromised pages on the Reader service. When the user clicks on a fake video embedded in the page, traffic is diverted to another site that attempts to run a remote exploit and malware installation. Trend Micro senior security adviser Rik Ferguson noted that the attacks provided a slight variation on the Koobface attac... read more»
In the market, there are more Linear Tape-Open (LTO), Digital Linear Tapes (DLT) and 9x40 cartridges circulating that are not as new as the shiny and perfect packaging leads customers to believe. These tapes have had their ‘mileages’ reversed; they have been on the road for some time and then been recycled as new. This tape recycling phenomenon is encouraged by the need of organisations to destroy their old tapes. The limited budgets endured by IT departments also give malicious used-tape ... read more»
We've all seen lamps with phone jacks in hotel rooms. Well, here's a lamp that plugs into a phone jack in your home and operates by filching the trickle of electricity found there. Clever? Bound to upset phone companies? Both? The lamp is sold by an outfit called UxSight, which lists addresses in Hong Kong and San Mateo, Calif. Here are some of the specs: * Environment friendly 8 LED RJ11 Lamp is powered by any available RJ11 socket only; * Made of durable plastic and... read more»
Four men have been indicted in Georgia on charges that they hacked into the Atlanta-based bank card processing company RBS WorldPay and used an army of flunkies to steal $9.5 million in cash from ATM machines around the world in a span of hours. Sergei Tsurikov, 25, of Tallinn, Estonia; Viktor Pleshchuk, 28, of St. Petersburg, Russia; Oleg Covelin, 28, of Chisinau, Moldova; and a fourth person identified only as “Hacker 3″ were indicted by a federal grand jury in what’s being described ... read more»
Our electric grid is vulnerable to a cyber attack and come to think of it so is every other piece of U.S. infrastructure. That not so happy tale was painted by a bevy of folks in a 60 Minutes report. 60 Minutes also unearthed an attack on Brazil’s grid. In a nutshell: * We’re not ready for a cyberattack; * The hackers can move much faster than the U.S. government; * A lot of the worst attacks will revolve around the power grid since everything needs electricity. For those ... read more»
Federal prosecutors alleged that members of an elaborate hacking ring broke into debit-card systems and stole $9 million from automated teller machines in hundreds of cities world-wide. Prosecutors in Atlanta Tuesday announced indictments against eight members of the alleged ring, from eastern European countries, in what is believed to be among the most brazen and damaging electronic bank heists to date. The alleged hackers cracked a computer system at RBS Worldpay Inc., the U.S. payment-p... read more»
It took the Information Systems Department for Howard County about 30 minutes to determine an e-mail requesting information from county employees was a phishing expedition. Anyone with an e-mail account has experienced numerous spam messages offering money and vacations. All are seeking personal information that would not be requested through an e-mail by reputable companies, banks or government agencies. The e-mail was received by a select number of employees on Oct. 29. The county’s Info... read more»
Rutgers University researchers are testing whether "activity-based" password hint questions are better at safeguarding security than the static ones we're all used to, such as "What's your mother's maiden name?" These activity-based password clues would be tied to your recent activity, like "What were you doing at noon yesterday?" "We want the question to be dynamic," said Danfeng Yao, assistant professor of computer science in the Rutgers School of Arts and Sciences, in a statement. "The... read more»
Of all the sinister things that Internet viruses do, this might be the worst: They can make you an unsuspecting collector of child pornography. Heinous pictures and videos can be deposited on computers by viruses — the malicious programs better known for swiping your credit card numbers. In this twist, it's your reputation that's stolen. Pedophiles can exploit virus-infected PCs to remotely store and view their stash without fear they'll get caught. Pranksters or someone trying to frame yo... read more»
Could hackers get into the computer systems that run crucial elements of the world’s infrastructure, such as the power grids, water works or even a nation’s military arsenal? Watch the CBS News 60 Minutes segment after the jump.... read more»
The operator of Tagged.com will pay $750,000 and overhaul its practices to resolve charges that the social networking site tricked members into providing personal details to lure new members and send out tens of millions of spam emails. Tagged Inc will pay $500,000 under an agreement with New York Attorney General Andrew Cuomo, and $250,000 under a separate accord with Texas Attorney General Greg Abbott. Cuomo said Tagged would also provide clear disclosures when seeking access to new user... read more»
An investigation was under way today after a hacker launched a crude attack on a police website, apparently in revenge for terror deaths in Pakistan. Access to the Durham Police website was temporarily blocked by staff after its security was breached by a man calling himself "L33T HACKER Ali.Mani".... read more»
How many times have you used a USB flash drive at your offices? Hundreds? Thousands? Their sheer convenience makes usage almost second nature. But as often happens with IT security, whenever a device or platform becomes popular, it also becomes a target for malicious exploits – making it a security risk that can prove costly. The high cost of taking a security risk was discovered by Ealing council when earlier this year an employee inadvertently used an infected memory stick. The council’s ow... read more»
The actions of former employees are posing an increasing risk to companies, according to a new study. Researchers from Ernst & Young said in the firm's annual Global Information Security Survey that as more companies are forced to cut staff, information theft and destruction at the hands of former workers is becoming an increasing risk.... read more»
Everyone knows what bandit Willie Sutton said when asked why he robbed banks - “that's where the money is.” In the modern era, a presumption exists that hackers predominantly target Fortune 500 and large enterprises (500-plus employees) because that's where the money is. However, a new McAfee study finds that midsized businesses (less than 500 employees) suffer more cyber-attacks and greater damage than their Fortune 500 counterparts.... read more»
A POLICE force said its website will remain shut until security improves after a hacker launched a crude attack today, apparently in revenge for terror deaths in Pakistan. Access to the Durham Police website was temporarily blocked by staff after its security was breached by a man calling himself ``L33T HACKER Ali.Mani".... read more»
(from information-security-resources at 10-11-2009)
Over the years there have been many… too many…instances where doctors have performed the wrong types of surgeries on patients, and even the wrong surgeries on completely wrong patients… There was a very interesting, and very concerning, news report yesterday, “Rhode Island Hospital Fined for Fifth Surgery Error in Two Years” To summarize, Rhode Island Hospital was fined $150,000 by the Rhode Island Department of Health after a surgeon operated on the wrong finger of a patient. The ho... read more»
Freedom of speech campaigners are railing against the repression of bloggers around the world, following claims by a prominent Cuban dissident that she was beaten up for her online activities. Yoani Sánchez, an author and blogger who has forged a reputation as a critical voice against the Castro government, said over the weekend that she and other bloggers had been attacked in Havana in what she called a "gangland style kidnapping"... read more»
Cybercrime is evolving internet with more people becoming online who are not aware of how the internet works and how vulnerable they may be. There are groups of cybercriminals who exploit and deface webpage's to gain personal information. Criminals have the ability to drop a 'code' in on webpage's without people knowing.... read more»
The FBI official in charge of major cybercrime investigations told a international gathering of computer security experts last week that financial services companies have suffered massive thefts due to hackers. "The financial services sector has seen losses in the hundreds of millions of dollars in actual cash removed through the infrastructure," FBI Assistant Director of Cybersecurity Shawn Henry said in a Tuesday keynote address to the Information Security Forum's World Congress in Vancouve... read more»
The rising use of social networking and collaboration apps on corporate networks has spawned increased security risks beyond potential productivity losses, firewall vendor Palo Alto warns. The warning coincides with the appearance of a variant of the Koobface worm linked to Google Reader accounts controlled by hackers. Aside from acknowledged business benefits, Web 2.0 applications can transfer files, propagate malware, and have known security flaws that might be exploited by hackers. Despite... read more»
Late last week, the Mega-D botnet (aka Ozdok) suffered as its major control servers were taken out of action. The folks over at FireEye analyzed the botnet’s control structure and fallback mechanisms. They then set about disabling Mega-D by contacting various ISPs to disable control servers, de-registering current control domains, and registering unused fallback domains. As seen in the chart below, which indicates the relative movements in the volume of spam received by Mega-D by our spam tr... read more»
Federal Security Spotlight this week talks to Martin Libicki, a senior management scientist at the Rand Corporation and author of a new book, Cyber Deterrence and Cyber War. While it is certainly tempting to want to hit back and zap the sources of the constant cyber probes and occasional breakthroughs that hit federal and major contractor networks, that might not always be the wisest policy.Libicki points out that it is difficult to know the other side's vulnerabilities and ability to withsta... read more»
The Melissa worm, one of the most prolific email viruses in history, earned its notoriety by forwarding itself to the first 50 people found in a victim's Microsoft Outlook address book. Security researchers celebrated its 10th anniversary earlier this year, and in the decade since Melissa, the world has seen a boom in viruses, Trojans, SQL injection, spam, phishing and drive-by downloads. There's no shortage of security threat reports from vendors in the antimalware business highlighting that... read more»
When it comes to complying with federal security mandates, chief information security officers contend with a set of arduous tasks that could rival the 12 labors of Hercules. Under the Federal Information Security Management Act, agencies must file annual reports to Congress that outline their compliance with more than a dozen categories of security controls that span technology, management and operations. In addition, the Federal Desktop Core Configuration (FDCC), which seeks to secure de... read more»
A new generation of spammers is rising up in regions such as Asia Pacific, Japan, and South America, and beginning to outstrip their North American counterparts in junk mail output. Asia Pacific and South America accounted for 23 percent and 22 percent, respectively, of global spam during October. That's according to a new study on spam by Symantec, published on Monday, which concludes that 87 per cent of email messages are now made up of junk mail. EMEA still accounts for 28 per cent of spam... read more»
This is a post from our blog in May 2007: http://www.f-secure.com/weblog/archives/vanbot.png Yesterday, three people were sentenced for writing the above malware (it's a variant of the Vanbot family) and other attacks — including some DDoS action. The sentences were: 45 days jail, 40 days jail, and 0 days jail, respectively. The sentences were probationary, so nobody actually went to jail. In addition, some fines were written. All the three convicted were underage. ... read more»
Nothing has ever changed the world as quickly as the Internet. Less than a decade ago, "60 Minutes" went to the Pentagon to do a story on something called information warfare, or cyberwar as some people called it. It involved using computers and the Internet as weapons. Much of it was still theory, but we were told that before too long it might be possible for a hacker with a computer to disable critical infrastructure in a major city and disrupt essential services, steal millions of dollars ... read more»
Protests from ISPs and phone providers have further delayed government plans to massively increase monitoring of phone calls, web browsing and emails, it's revealed today. As a result of concerns over costs and technical feasibility, it is now expected that the legislation necessary to implement the £2bn surveillance programme - known in Whitehall as the Interception Modernisation Programme - will not be included in next week's Queen's Speech.... read more»
A computer hacker protesting over terror deaths in Pakistan has attacked the website of Durham Police, forcing it to temporarily close. The cyber vandal wrote: "Ur security sucks UK police this is my revenge against u."U are the one who are blasting bomb in Pakistan. Ur security is zero." Durham Police said an investigation was now under way and the "offending matter" was being removed by computer specialists.... read more»
A forensics tool built by Microsoft exclusively for law enforcement officials worldwide was posted to a file-sharing site, leaving the USB-based tool at risk of falling into the wrong hands. COFEE is a free, USB-based set of tools, which Microsoft offers only to law enforcement, that plugs into a computer to gather evidence during an investigation. It lets an officer with little or no computer know-how use digital forensics tools to gather volatile evidence.... read more»
In the 24th episode of Team Cymru's 'The Who and Why Show', we're joined by Team Cymru's Dave Monnier. Dave talks us through the latest threats from the Underground Economy from a consumer perspective.... read more»
Cyber criminals' love affair with cloud computing just got steamier with the discovery that Google's AppEngine was tapped to act as the master control channel that feeds commands to large networks of infected computers. The custom application was used to relay download commands to PCs that had already been infected and made part of a botnet, said Jose Nazario, the manager of security research at Arbor Networks. Google shut down the rogue app shortly after being notified of it.... read more»
Seventy-eight percent of all the vulnerabilities identified during the first half of the year were found in web applications, browsers and servers, according to a report released Tuesday by web application security provider Cenzic. The report was based on the published vulnerability disclosures for various commercial off-the-shelf and open-source software products. Flaws in web technologies have accounted for 70 to 80 percent of all the disclosed vulnerabilities since the beginning of 2008, a... read more»
IT WAS an online spat that escalated into a flame war. The next thing he knew, an online attack left his website crippled - less than a week after it was put up. The website in question: a community forum for residents of a Jurong condominium. The attack: a flood of hits, which took the site down for more than an hour. The drama unfolded after Mr Paul Lim, 45, decided to create an exclusive online forum for residents in his condominium.... read more»
The perils of running a successful e-commerce business were highlighted again yesterday, after the BBC reported that popular online retailer Play.com had been hit by problems affecting its online ordering system. It appears that many customers received emails for orders they had not placed. On opening those emails they found the names, addresses and other contact details of other Play.com customers.... read more»
The folks over at FireEye report on one of their takedown efforts of the Ozdok (aka Mega-D) botnet. Victims of this infection have pop-up advertisements pushed their system and they are used to send spam—a significant amount of spam according to M86 Security. This is good news. A major spam source has been disrupted. Unfortunately we’re still left with thousands of machines that have been infected. In many cases of adware/spyware infection the malware with disable or impede Anti-virus pro... read more»
The Senate Judiciary Committee on Thursday approved two personal data security bills that would establish federal standards for protecting data and reporting its loss. But security experts say that threats to personal data are evolving faster than our responses to them. "The crooks are trying to find out how to better impersonate you on the Internet," said Rick Kam, president of ID Experts, at a recent data security briefing hosted by TechAmerica. Criminals are aggregating more information... read more»
The Australian programmer who claims to have created the world's first Apple iPhone virus as a prank has told Computerworldhe does not regret writing it. The worm, 'Ikee' changes iPhone owners' wallpaper and replaces it with a photo of '80s pop star Rick Astley and the message "ikee is never going to give you up". Twenty-one-year-old Wollongong resident Ashley Towns, said he created the virus out of curiosity and boredom. "I had just formatted my iPhone and it told me to set the passwor... read more»