Sunday, December 31, 2006

Computer Warming a Privacy Risk

A security researcher has a devised a novel attack on online anonymity systems in which he literally takes a computer's temperature over the internet. The attack uses a phenomenon called "clock skew" -- the tendency for the precise clocks in modern computers to drift off of the correct time at slightly different rates, which can be affected by heat.

Read more HERE.

After Vista - Fiji and Vienna

Windows Vista has been released for a month now to business, and is going to be released to the general public in a month (January 30). For those who haven’t been following Vista’s development, it is worh noting that even though Vista comes 5 years after XP, it is a rushed product.

Originally set to be a relatively small update to XP, to be released in 2003, it was re-envisioned as a major release, with revolutionary technologies such as WinFS (a new file system), Palladium (security system), Avalon (graphics system) and Indigo (communications system).

Read more HERE.

New hacker tools for Bluetooth

Two new tools, in the form of BTCrack and Hidattack, were released Friday at the 23rd Chaos Communication Congress in Berlin. They demonstrate serious security vulnerabilities in Bluetooth at the protocol level. BTCrack permits hacking the pairing of two Bluetooth devices. Hidattack permits remote, external control of a wireless Bluetooth keyboard, so that it is possible to make keyboard entries on the connected computer.

Read more HERE.

GoldenEye (GoldEye) Password Cracker

GoldenEye is a brute-force hacking program and was written for web-masters to test the security of their own sites. This is an oldskool file, a lot of people are still looking for this.

Read more HERE.

Weekend Reading

The Karl "Hagbard Celine" Koch Story

Clifford Stoll, by training an astronomer, by occupation a systems administrator at Lawrence Berkeley Laboratory, was investigating a 75-cent discrepancy in a supposedly defunct computer account that seemed to have been commandeered by an unauthorized user.

The intruder was giving himself system privileges and creating accounts with names like Hunter, Jaeger, Benson, and Hedges. Although Stoll could have simply changed passwords, reassigned privileges, and so forth — effectively slamming the door on the intruder — he chose instead to monitor the intruder’s on-line activity in the system. What the intruder was doing was using the LBL computers as a jumping-off point into the Arpanet, and then the Milnet (an unclassified military network), and thence to various Department of Defense computers on bases nationwide. From the files being examined, it was clear that the intruder was looking for secret American military information. Stoll was on the trail of a hacker spy.

Read the entire article HERE.

Wardriving in Paris

We regularly conduct research into Wi-Fi networks and protocols in order to gain a picture of the current state of affairs and to highlight current security issues. We focus on Wi-Fi access points and mobile devices which support Bluetooth. We’ve already published research material using data gathered in Peking and Tjianjin, CeBIT 2006 and InfoSecurity Europe, held in London.

This latest piece of research was conducted in Paris, partly in the city itself, and partly at InfoSecurity 2006, which was held in the French capital at the end of November 2006.

Read more HERE.

Microsoft adds behavioral targeting

Microsoft Corp. has started linking users' search habits with other personal information as it prepares to show more personalized advertisements. Microsoft uses that information to build a profile for a certain class of users - women over 30 who read financial news, for example - and sell marketers the opportunity to reach that targeted group as they surf Microsoft properties.

Read more HERE.

Hack the Gibson - Episode #72

The first thing I want to mention is that the constant marketing push for SpinRite makes me curious. I have no way to try it (because Steve doesn't make a demo version publicly available), but after reading a book Kurt (a very well known company that specializes in data recovery since 1989) I have the distinct feeling that running SpinRite on a damaged disk can be very dangerous.

Read more HERE.

Five Things Vista can do ...

I wanted to make an opportunity to respond to those who keep repeating silly statements like, "Windows Vista is nothing but Windows XP with a new skin!" or, "Why would anyone want to upgrade to Windows Vista!?!" in an intelligent and reasoned manner:

Read more HERE.

ReadyBoost - swap space on a stick

Windows Vista introduces a new concept in adding memory to a system. Windows ReadyBoost lets users use a removable flash memory device, such as a USB thumb drive, to improve system performance without opening the box.

Read more HERE.

Saturday, December 30, 2006

Happy New Year - Worm

A rootkit-cloaked worm is being heavily spammed to users as an attachment to "Happy New Year!" messages, a security researcher warned Friday.

The new worm, dubbed "Tibs" by Kaspersky Lab but pegged as a "Nuwar" variant by Trend Micro, comes disguised as a file attachment named "postcard.exe," said Ken Dunham, director of VeriSign iDefense's rapid response team, in an e-mail. Users who launch the executable will infect their PCs.

Read more HERE.

F-Secure Summary : Luder is an e-mail worm, a dropper for a trojan downloader and a file infector. The worm sends itself as attachment named 'postcard.exe' in e-mail messages with the 'Happy New Year!' subject. The trojan downloader downloads and runs files from a website.

Germ-free wireless keyboard

How about the real, non computer, viruses and other germs? Ever felt like getting out of a stuffy Net cafe somewhere, seeing others cough and sneeze into their keyboards, and then holding the mice with hands still wet with all the germ cocktails? Think your office is safe? That office desk may harbour 400 times more germs than an average toilet seat, according to a recent Univ of Arizona survey.

Read more HERE.

What's the Best Q&A Site?

We put Yahoo Answers, Amazon's Askville, and rival question-and-answer services to the test. Everyone knows a lot about something, whether it's quasars, quilting, or crayons. But the converse is also true: there are a lot of things that most people know nothing about. And unfortunately, that doesn't seem to stop them from sharing their opinions.

Read more HERE.

Website : FILExt - The File Extension Source

A file extension is nothing more than the last characters after the period in the name of a file. FILExt is a database of file extensions and the various programs that use them.

Take a look HERE.

Friday, December 29, 2006

CERTStation Threat-Level Aggregator

CERTStation Threat level Aggregator displays the current threat level, in real-time, as assessed by 8 of the Internet's leading vulnerability watch services such as Symantec Threatcon, ISS Alertcon and SANS Infocon on one publically accessible Web page.

Viisit the website HERE.

Source :

Another Vista Activation Crack Appears

As the Microsoft spokesperson acknowledged, there are reports about the crack, which requires setting a computer's BIOS clock to 2099. The hack does work on 32-bit Windows Vista installations but not necessarily on 64-bit versions. The process requires some other Windows changes and an eventual clock reset from within Vista, leading to a perpetual state of 30 days to activation.

Read the article HERE.

Microsoft Security Bulletin Minor Revisions

The following bulletins have undergone a minor revision increment.

Updated: December 27, 2006
Bulletin Severity Rating: Critical

Read more HERE.

Program Prevents Crashes And Hacker Attacks

Computer scientist, Emery Berger [University of Massachusetts], has created a new program that prevents crashing and makes users safer, he says. Dubbed DieHard, there are versions for programs that run in Windows or Linux. DieHard is available free for non-commercial users.

Read more HERE.

Bot-infected PCs get a refresh

On Christmas day, the number of bots tracked by Shadowserver dropped nearly 20%.

Read more HERE.

Thursday, December 28, 2006

DRM cracked by BackupHDDVD tool?

Can it be? Is Hollywood's new DRM posterchild AACS (Advanced Access Content System) actually quite breakable?

Read the article HERE.

Original post HERE.

Disclaimer : No, AACS Was Not Cracked

Which is the safest browser ?

[ Regular readers do not win a prize for giving the right answer ]

During the course of 2006, Secunia published in excess of 5000 advisories to bring the total in its database to 15,500. All of which means that choosing your web browser client based upon its inherent security strength is actually rather a good idea, and luckily Secunia can help here by monitoring and graphing every client on just this basis.

Read more HERE.

Banking Trojan

New trojan banker combines key logging with an optimized technique for virtual keyboards. Every time the user clicks in the virtual keyboard, the trojan performs a series of small screen captures of the area that surrounds the cursor. It also adds a small red arrow that pinpoints the exact place the user clicked, so that the attacker can see clearly the key the user selected.

It has been specifically designed for banking institutions in Argentina, Bolivia, Brazil, Cape Verde, Spain, USA, Paraguay, Portugal, Uruguay, and Venezuela.

In-Depth Analysis:
New technique against virtual keyboards.pdf

Watch the video HERE.

Source :

The Six Dirtiest Tricks of 2006

The following is Dark Reading's look back at six of the most clever and devious IT security exploits of 2006, which we call "The Six Dirtiest Tricks of 2006." (Catchy, ain't it?) These are the exploits that attracted the most attention from our readers during our first seven months of publication. (Okay, so it's not the whole year. Sue us.)

Read the article HERE.

Pirates 5 Legal 1

A recent study conducted by consumer and retail analysis group NPD claims that peer-to-peer (P2P) video downloads (which in the study are synonymous with illegal downloads) are outpacing purchases from legitimate video download services five to one.

Read more HERE.

Microsoft hands out laptops to bloggers

The "BlogNet" is buzzing with the fact some bloggers have received free laptops from Microsoft. Is it ethical? Probably not. Is it worth something to hard-working sweat and tears bloggers? Hell yeah. Microsoft... feel free to send me a Ferrari any time you like.

Read more HERE.

Wednesday, December 27, 2006

Goodbye SSL padlock

The CA/Browser Forum wants to bring increased safety to web banking and e-commerce by developing a new digital certificate that can better verify a site's legitimacy. The technology is already included in Internet Explorer 7 and Opera 8 and certainly looks like a step in the right direction—for the companies that are able to get a certificate.

Read the article HERE.

Web 'safe' mark may elude new merchants

As an online shopper, Claudia Race knows she must look out for scams. So as an Internet entrepreneur working out of her home in New Braunfels, Texas, Race wants to use all the tools available to assure customers they can trust the vacation-rentals service she is about to launch.

But because her small business is so new, Race said she might not qualify for the online seals of approval that Inc. and other larger, established companies are getting to instruct Microsoft Corp.'s Internet Explorer browser to display a green address bar for "safe" when people visit her site.

Read more HERE.

Malware Hiding Behind Certified Sites

A new study warns that Web sites containing security certificates are not necessarily safe. The results were somewhat surprising when Web sites bearing the TRUSTe security certificate were compared against a list of known malware sites from McAfee's Siteadvisor product, a service that black-lists Web sites containing spyware, spam, viruses and online scams.

Read the article HERE.

Social Network Ruining Privacy

Students at the University of Bristol have recently been warned of the dangers of posting to social networking websites. They aren't the first to hear these warnings, and they won't be the last.

Read more HERE.

Happy New Warezov

F-Secure has released information about three new malware threats.

Read more HERE.

New user-driven search engine

Wikia, a for-profit corporation created by Wikipedia founder Jimmy Wales, is preparing to launch a search engine that will leverage the user-driven model that has contributed to the massive success of the Wikipedia.

Read more HERE.

Tuesday, December 26, 2006

10 online operating systems reviewed

But what is a WebOS (not to be confused with another definition of the term, see here), or a Webtop, anyway ? Here’s a simple definition: WebOS is a virtual operating system that runs in your web browser. More precisely, it’s a set of applications running in a web browser that together mimic, replace or largely supplement a desktop OS environment. It’s a tough field to start in for a Web 2.0 entrepreneur, because to be successful you need to create several applications that are at least as good as other competitors, and you need to connect them all into a usable bundle.

Read more HERE.

FREE Magazine Subscriptions

Absolutely FREE magazines from some of the best known publishers on computer security, networking, information technology and digital communication. Subscribe to one or a hundred of these major magazine publications all at absolutely no cost to you.

Also available are whitepapers and webcasts.

Read more HERE.

Employment opportunity

I need to urgently make contact with a hacker that would be interested in doing a one-time job for me. The pay would be good. I'm not sure what exactly the job would entail with respect to computer jargon, but I can go into rough detail upon making contact with a candidate. Thanks for your help.

Read more HERE.

Usability in the Movies

User interfaces in film are more exciting than they are realistic, and heroes have far too easy a time using foreign systems. The way Hollywood depicts usability could fill many a blooper reel. Here are 10 of the most egregious mistakes made by moviemakers.

Read the article HERE.

Corporate Scrooge Contest Results

Our appeal for corporate Scrooges—tales of office parties canceled, miserly bonuses, and pathetic gifts—generated a generous response. Nearly 200 Slate readers wrote in, providing enough fodder for several episodes of The Office. We heard from employees of car dealerships, doctors, and small law firms, but also from blue workers at blue chips, including Burberry, Dow Jones, Goldman Sachs, Disney, Wells Fargo, and Wal-Mart.

Visit the website HERE.

Monday, December 25, 2006

Merry Christmas!

I would like to wish all the readers of my blog a very Merry Christmas. And, if you are also lucky enough to have a few days free from work, then I hope you take the chance to enjoy that time during the coming holiday period.

The Blog : Regular readers will know that I live in Australia [16 hrs ahead of New York time] and blog 7 days a week. As most of the news sources are from the US, some of my stories are "old", but many - especially during the weekend - are hot of the press. Which raises a question I have often asked myself. Nearly all the major security news websites only work 5 days a week. News is a 7 day a week job. I find that many of the stories I covered during the weekend appear as major items on these websites first thing Monday. Why is it so ? [with apologies to
Prof. J.S. Miller]

I'm a blogger... not a journalist : Barring something sensational, I expect it to be a very quiet week [for original stories] on the news front during the next week. So what can you expect here in the next week ? I will probably go off topic [again] with some interesting thoughts, ideas, programmes and websites. But hey, it's the holiday season, nothing else is open, and you might even find some of the stuff interesting, or useful, or even both.

Have a safe and happy Christmas.

Vista content protection

Vista's content protection specification could very well constitute the longest suicide note in history, claims a new and detailed report from the University of Auckland in New Zealand.

Peter Gutmann's report describes the pernicious DRM built into Vista and required by MS for approval of hardware and drivers. But this isn't just a typical anti-Microsoft rant. Gutmann's report runs to 6,000 words and contains hardly any FSF-style juvenile invective.

"Windows Vista includes an extensive reworking of core OS elements in order to provide content protection for so-called "premium content", typically HD data from Blu-Ray and HD-DVD sources. Providing this protection incurs considerable costs in terms of system performance, system stability, technical support overhead, and hardware and software cost," says Gutmann on his homepage.

Read more HERE.

Targeted Phishing Attacks

This entry continues my blog series on some Symantec phishing data I have recently analyzed. I decided to look at data that relates to how phishing attacks are becoming more targeted.

Read the article HERE.

Phishing Attacks

As part of the look at phishing statistics that I’ve blogged about recently, we analyzed the industry segmentation of the brands spoofed in a phishing attack. We divided the spoofed brands into the following categories:

Read the article HERE.

DOD bars use of HTML email

Due to an increased network threat condition, the Defense Department is blocking all HTML-based e-mail messages and has banned the use of Outlook Web Access e-mail applications, according to a spokesman for the Joint Task Force for Global Network Operations.

Now that someone has taken that important first step, how long before other government departments and businesses also start to enforce this policy.

Read the article HERE.

Sunday, December 24, 2006

A holiday season for hackers?

With IT administrators harder to reach, and less likely to patch software or issue work-arounds during the holidays, is it the season for hacks?

Read the article HERE.

Santa's Web site hacked

As if Santa Claus hasn't got enough to do this week, it turns out he's fighting off some very, very nasty elves. The consumer advocacy group said it was approached this week by an Incline Village, Nevada, man who has legally changed his name to Santa Claus, who asked them to help figure out why his Web site was being flagged by Google Inc.'s Web site filters.

Read more HERE.

Weekend Reading

Designing Security Into Networking Protocols

If you are faced with creating a new communications protocol, what are you going to do to ensure that it is safe and secure? While a complete answer might take an entire volume, here we will highlight some of the most common scenarios and concerns.

Read the article HERE.

Kaspersky Lab's Secret Sauce

Can the Russian anti-virus vendor innovate fast enough to stay relevant in a hypercompetitive security market? Clickety, clack. Clickety, clack. The rhythmic sounds of fingers tapping away at keyboards are coming from Eugene Kaspersky's "woodpeckers," who make up a virus-hunting crew responsible for tracking computer threats in real time and who work around the clock to write and ship virus definition updates to millions of computer users. This is Kaspersky Lab's secret sauce, the ability to ship anti-virus signatures every hour on the hour, seven days a week, 365 days a year.

Read the article HERE.

Microsoft's stupid activation scheme

So, why does Microsoft persist in being so bloody stupid as to keep on with this product activation bollocks? I like Microsoft but this is just plain stupid. I buy a copy of XP or Office, install it on a machine and it connects with MS Central, activates itself and everything's lovely.

Well, no, it isn't. If my hard disk fails; if I buy a new machine and chuck the old one in the dumpster; if a nefarious footpad breaks into my house and steals the bastard, I'm buggered. Reinstalling XP, Office or Vista will tell me that I've exceeded the number of licences I've paid for. Even when I haven't.

Read the article HERE.

PHP security under scrutiny

Perhaps PHP should stand for Pretty Hard to Protect: A week after a prominent bug finder and developer left the PHP Group, data from the National Vulnerability Database has underscored the need for better security in PHP-based Web applications.

Read the article HERE.

Saturday, December 23, 2006

Vista Exploit Surfaces

Proof-of-concept exploit code for a privilege escalation vulnerability affecting all versions of Windows — including Vista — has been posted on a Russian hacker forum, forcing Microsoft to activate its emergency response process.

Determina Security Research has a full analysis.

Read the article at eWEEK HERE.

Windows Vista Content Protection

Security researcher Peter Gutmann has released A Cost Analysis of Windows Vista Content Protection, a detailed explanation of just what the protected-content paths in Windows Vista mean to you the consumer: increased hardware cost and even less OS robustness. This document analyses the cost involved in Vista's content protection, and the collateral damage that this incurs throughout the computer industry ... The Vista Content Protection specification could very well constitute the longest suicide note in history.

Read the article HERE.

Source : Slashdot

Hacking the Xbox security system

In this Google Tech Talk video, Michael Steil, the founder and maintainer of the Xbox-Linux project, talks about the design of the Xbox security system and then deconstructs it from the hacker’s point of view.

Visit the website HERE.

Skype stress detector

With the recent release of Skype 3.0 for the PC (Mac and Linux users will have to wait), the company has made some intriguing third-party "extras" available from within Skype. One of those, the KiskKish lie detector, claims to do "voice stress analysis" on Skype calls, measuring the stress in the other party's voice for signs of deception.

Read more HERE.

VOIP More Vulnerable

If you're talking over your IP network right now, then voice-over-IP should be at the top of your security priorities for next year. Securing enterprise IP voice hasn't been on most organizations' radar screens, mostly because VOIP so far hasn't been a popular target of attackers or bug hunters, nor have many organizations torn out their traditional voice systems altogether, anyway. But security experts say it's time to make VOIP security a priority.

Read the article HERE.

New tor

Tor is a toolset for a wide range of organizations and people that want to improve their safety and security on the Internet. Using Tor can help you anonymize web browsing and publishing, instant messaging, IRC, SSH, and other applications that use the TCP protocol. Tor also provides a platform on which software developers can build new applications with built-in anonymity, safety, and privacy features.

Visit the website HERE.

Friday, December 22, 2006

Travellers beware

It's the holiday season, but we still like to "keep in touch". And that's where the troubles may begin. Two examples are listed below - and my own tip. Do NOT use that computer at your friends or relatives home. You have no idea what's on it. Stay safe.

Internet Cafe Dangers

Recently it was reported that a Hotmail user who traveled to Mexico and made use of an internet cafe in the country. This of course, is a common occurrence for travelers, but then when the person got back to the states, the user found that all of her hotmail messages and her entire address book were missing! The only message that remained was one from the attacker, who requested a payment in order to get the data back.

Websense, the security firm who reported the incident, stated that the ransom note was written in very poor Spanish, and when translated into English, it stated, "If you want to know where your contacts and your e-mails are then pay us or if you prefer to lose everything then don't write soon!"

Read more HERE.

Avoid airport rogue wifi networks

Air travelers looking to do a little web surfing at the terminal should be on the lookout for "honeypot" wireless networks set up by folks who want to listen in on your usernames and passwords.

Read more HERE.

Clipboard Data Theft Optional In IE 7

A little known secret about Microsoft's Internet Explorer Web browser is the long-standing feature that lets Web sites silently read data stored in the Windows "clipboard" -- the storage space that serves as a semi-temporary repository for any text the user has recently cut-and-pasted or copied in virtually any Windows program.

Read the article HERE.

Phishing Filters - No Add-ons Required

F-Secure have posted a graphic display with details on how the new Fraud Protection phishing filter in Opera 9.1 works.

Visit the website HERE.

Spam Volume Jumps 35% In November

The volume of spam surged in November to an average of 85 billion messages a day during two periods, IronPort says. Spam volume soared another 35% in November, an e-mail security vendor said Thursday, and the month saw spam tactics that reduced the efficiency of traditional anti-spam filters.

Read the article HERE.

Thursday, December 21, 2006

Firefox Fixes 8 Security Holes

Mozilla has released updates to fix at least eight security vulnerabilities in its Firefox Web browser and related software. Five of the eight flaws received a "critical" label, meaning that an attacker could exploit them to break into machines running vulnerable versions of the software.

Read more HERE.

The missing Microsoft patches

Vulnerabilites that are widely known and/or actively exploited are of great interest to our readers, here we try to keep an overview of them.

See the list form SANS HERE.

Clever eBay phishing

Looking through spam can be an awful chore but it can also be quite interesting. Today I found a scary eBay phishing attack - it is so good that even I might fall into this trap, on a bad day. Not from an E-mail, mind you - we're automatically more suspicious of links in E-mails - but if this link was on a website, or inside an eBay auction..?

Read more HERE.

Identifying Software Security Flaws

Software security testing is an indispensible part of building modern software. Ideally, it is performed as part of the software development lifecycle by testers armed with both software security and software testing expertise.

Visit the website HERE.

Christmas Security Tips

Christmas is approaching fast, and online activities of all kinds are heating up. Shoppers are busy buying gifts and snapping up bargains, web merchants are busy clearing their stock at year-end discount prices, and entertainment sites are packed with glittering temptations. Web traffic is at an all-time high.

But because everyone’s minds are focused on having fun and spending money, (even) less thought than usual is being given to security issues. And that makes Christmas a great time to be a hacker. Right now, hackers are using this hectic time to take advantage of people whose minds are on anything but security.

Read the article HERE.

Wednesday, December 20, 2006

Patch fixes MS wireless vulnerability

A while back, there was a big uproar over the fact that some wireless networking adapters built into laptop computers had a vulnerability due to the fact that they start scanning automatically for wireless networks when you reboot the computer or when it wakes up from hibernation. Microsoft has released a patch for XP SP2 machines to fix the problem, but it wasn't included with the Patch Tuesday updates. You have to manually download and install it, at least at this time. If you're using a laptop with embedded wireless, it's a good idea to do so.

Download patch from Microsoft HERE.

Source :

Vista Could Sap Notebook PC Battery Life

Notebook PC users who upgrade to Microsoft's Windows Vista may have to disable some of the new operating system's flashy graphics features to avoid seeing a decrease in battery life compared to when running Windows XP.

Read the article HERE.

Mozilla Firefox Multiple Vulnerabilities

Multiple vulnerabilities have been reported in Mozilla Firefox, which can be exploited by malicious people to gain knowledge of certain information, conduct cross-site scripting attacks, and potentially compromise a user's system.

Read the [ Highly critical ] advisory at Secunia HERE.

Facial recognition software plugin

A search engine that uses sophisticated facial recognition to allow users to identify and find people in online images will launch next month. But civil liberties groups say the biometric-style tool could compromise the privacy of anyone who has their picture online.

Read the article HERE.

Month of Apple Bugs

A pair of security researchers has picked January 2007 as the starting point for a month-long project in which each passing day will feature a previously undocumented security hole in Apple's OS X operating system or in Apple applications that run on top of it. "Right now, many OS X users still think their system is bulletproof, and some people are interested on making it look that way," LMH said.

Read the article HERE.

Tuesday, December 19, 2006

Trying to stay safe

The Top 10 Computer Crimes for 2007

ISECOM, the Institute for Security and Open Methodologies, has just posted their Top 10 Real Computer Crimes for 2007 and Beyond.

View the list HERE.

Top 10 Web Hacks of 2006

Attacks always get better, never worse. That’s what probably what I’ll remember most about 2006. What a year it’s been in web hacking! There’s never been such a big leap forward in the industry and frankly it’s really hard to keep up.

Read the article HERE.

How Not To Use Cookies

Within one week's time, we stumbled across two different sites using cookies the wrong way. While the attack vectors were a bit different, both sites trusted the cookie data to secure their users’ accounts. Therefore, this week we are going to spend some time discussing cookies, when they should be used, and what can happen if they are misused.

Read the article HERE.

Trend Micro Threat Research Forecasts

Trend Micro today published its 2006 Threat Report and 2007 Forecast. Research gathered and analyzed by TrendLabsSM demonstrates that in 2006 organized crime continued to be key to identity theft, corporate espionage and extortion.

Read the article HERE.

Opera Introduces Fraud Protection

Opera Software has announced the introduction of real-time fraud protection for its Web browser Opera 9.1. The Fraud Protection tool includes technology from GeoTrust, a digital certificate provider, and PhishTank, a collaborative clearinghouse for data and information about phishing on the Internet.

Fraud Protection extends the original anti-phishing capability in Opera, company officials said. The tool adds a new level of online safety by working in real time to protect Opera users from the latest phishing attacks, officials added.

Read the article HERE.

Vulnerability Tools Get Teeth

Vulnerability assessment tools aren't just for scanning devices and spitting out a list of vulnerabilities anymore: VA tools are now being bundled with configuration management, policy, and penetration testing functions. Some vendors, like StillSecure, even envision VA eventually becoming part of the network access control (NAC) equation.

Read the article HERE.

Monday, December 18, 2006

Why Does Everyone Hate Microsoft?

I'm doing a short project on Microsoft and its impact on society. A considerable part of this project has been looking into people's perceptions of Microsoft and the heavily negative bias of that perception. Since Slashdot is one of the world's forefront leaders on Microsoft hatred, I wanted to know: just why do you hate Microsoft? Please be as descriptive and as thorough as you like. Counter arguments and positive comments are also appreciated.

Read the responses at Slashdot HERE.


Vista is an upsell masquerading as an upgrade. It is an overall regression when you look at the most important aspect of owning and using a computer: your control over what it does. Obviously MS Windows is already proprietary and very restrictive, and well worth rejecting. But the new 'features' in Vista are a Trojan Horse to smuggle in even more restrictions. We'll be focusing attention on detailing how they work, how to resist them, and why people should care.

Visit the website HERE.

Police build tool to search PCs

Police are developing tools that will let detectives trawl for evidence on the hard drives of computers without leaving their desks and without needing to alert suspects by seizing their computers.

Read the article HERE.

Hacker sues bank for his time

A man who admitted hacking into the Reserve Bank's telephone system now wants $7500 from the organisation for using his information to upgrade its security.

Read the article HERE.

Microsoft Pressures Windows 2000 Users

With the recent release of Microsoft's newest potential cash cows, Windows Vista and Office 2007, the company is expecting a wave of upgrades from users seeking the latest functionality. But what if you're not looking for new bells and whistles? What if you want to keep your old operating systems, such as Windows 2000, running as long as possible?

Read the article HERE.

Sunday, December 17, 2006

Google releases customized version of IE 7

Google has released a customized version of Internet Explorer 7 that uses Google as the default search engine and provides users with the Google Toolbar and a Google homepage they can personalize. Perhaps not exactly what Microsoft intended when they released the Internet Explorer Administration Kit, which allows developers to customize IE.

Read the article HERE.
Upgrade to IE7 optimized for Google HERE.

Microsoft fixes phishing shield for IE 7

Microsoft has quietly released an update for Internet Explorer that fixes a problem with the browser's phishing shield. The feature that protects against fraudulent Web sites, new in IE 7, in some cases could bog down computers running Windows, according to an article on Microsoft's support site published Tuesday. This could happen when a Web page contains many frames or when a user browses many frames in a short time, the company said.

Read the article HERE.
Microsoft has a fix available
on their Web site.

New KB article - IE7

Also, you might like to fix this as well. No options appear under Settings on the Advanced tab of the "Internet Options" dialog box in Windows Internet Explorer 7.

To resolve this problem, follow these steps:
1. Click Start, click Run, type cmd, and then press ENTER.
2. Type the following command, and then press ENTER:
regsvr32 /n /i inetcpl.cpl

Source : KB Article ID : 928849

Weekend Reading

Are you my friend? Yes or No?

Social network sites like Friendster and MySpace are constructed in a way that requires people to indicate relationships or ‘friendships’ with other participants. Is an articulation of friendship equivalent to friendship? This paper challenges that assumption.

Read the article HERE.

Microsoft's new identity: secure OS vendor?

In preparing my most recent book, Windows Vista Security: Securing Vista Against Malicious Attacks (Wiley), co-authored with Dr. Jesper Johansson, I’ve counted more than 180 new security improvements and features in Vista. I’ve been developing a PowerPoint presentation on it, and it’s already exceeded 220 slides (and I’m only a third of the way done).

Talk to the many professional hackers that Microsoft has invited to test and strengthen Vista. Hundreds of internal and external hackers gave it their best whacks. A few succeeded in finding new exploits (or in re-finding old exploits). But ask any of them what they think of Microsoft’s new OS, and all will tell you it’s a lot harder to hack than its predecessor.

Read the article HERE.

Teen hacker 'a very clever boy'

A New Zealand teenager who was sent on a computer training course as part of a police rehabilitation program has admitted to hacking into internet banking accounts and stealing nearly $NZ50,000.

[ We have read many stories like this before, but the frightening aspect for me is this comment from an official - "It's very concerning that someone can basically sit at home and get everything off the internet and do what they want". As mentioned before, those of you that read this blog are probably amazed at a comment like this. But, the sad fact is, that he is not in the minority. Most computer users don't have a clue about how dangerous the Internet now is. Perhaps it's time to issue a pamphlet with every computer purchase [federally funded ?] warning new users of these dangers. ]

Read the article HERE.

Web Is in Grave Danger

My first warning is about AJAX. It will be at the center of two major events in the year 2007. The first problem will come from AJAX's power to allow developers to create rich multimedia Web sites and applications. During 2007, developers will go so far overboard with AJAX sites that the entire World Wide Web will be forced to its knees.

Read the article HERE.

Signature Scanning: 'I'm Not Dead Yet'

Signature-based scanning may not be exciting, but it's a fundamental and useful part of computer security. There's no question that conventional anti-virus protection has become boring, as well it should be. There should be nothing exciting about it. But I think it goes over the top to say that it's "dead." "Commoditized" might be a better word.

Read the article HERE.

Not Much Resistance at the Door

Websites are as vulnerable as ever, according to a survey of Web application security professionals who test sites for security holes. The survey, conducted by researcher Jeremiah Grossman on his blogsite, polled more than 60 security pros, 63 percent who work for vendors or consultants, 23 percent for enterprises, 5 percent for government, and 10 percent for other types of organizations. These are the guys in the trenches who hammer on Websites regularly -- 53 percent said all or almost all of their job is dedicated to Web app security (versus development, general security, and incident response); 28 percent said about half; and 20 percent said "some."

Read the article HERE.

Saturday, December 16, 2006

Yahoo! Messenger Buffer Overflow

A vulnerability has been reported in Yahoo! Messenger, which potentially can be exploited by malicious people to compromise a user's system.

The vulnerability is caused due to an unspecified error in an ActiveX control and can be exploited to cause a buffer overflow. No further information is currently available.

The vulnerability is reported in versions obtained prior to Nov 2, 2006.

Update to the latest version.

Source :
Secunia Advisory

How Skype gets around firewalls

Increasingly, computers are positioned behind firewalls to protect systems from internet threats. Ideally, the firewall function will be performed by a router, which also translates the PC's local network address to the public IP address (Network Address Translation, or NAT). This means an attacker cannot directly adress the PC from the outside - connections have to be established from the inside.

Read the article HERE.

Messenger Plus! and Winfixer - again

I keep seeing Winfixer pushers using the Messenger Plus! Sponsor Program to infect systems with malware. I keep reporting it to Patchou and/or blogging about it, yet I see it happen again, and again, and again. I'm beginning to wonder if the problem really is rogue clients. I'm also beginning to wonder if Circle Distribution aka C2Media is doing anything when these "rogue clients" are reported.

Read the article HERE.

The 'Frankenbuild' monster

Over the last few weeks, we've seen a number of attempts at workarounds for Vista product activation. As of now there are at least two distinct workarounds that have worked to some degree, but I'm sure there are more on the way. One of these workarounds we have affectionately named "frankenbuild" because it involves cobbling together files from an RC build and with an RTM build to create a hybrid that bypasses activation. The other workaround involves the use of some virtualization technology and our practices for activating larger business customers.

Read the article HERE.

Microsoft critical vulnerability boom persists

Microsoft patched 133 'critical' or 'important' vulnerabilities in 2006, more than doubling the number from 2005, according to data collected by security vendor McAfee.

Read the article HERE.

'Rustock' trojan a model for future threats

The tactics used by a sophisticated threat of 2006 will become staples in exploits during the year to come, a security researcher said. That threat, dubbed "Rustock" by Symantec, is a family of backdoor Trojan horses that first appeared nearly a year ago, says Patrick Martin, a senior product manager with the, company's security response team.

Read the article HERE.

Friday, December 15, 2006

How to login to an expired Windows

Tech blog The Tomorrow Times shows you how to gain access to your PC even if you've gone past the 30-day Windows activation period.

It's a simple but crafty move involving Narrator, a program designed to help users with poor vision. Basically, you invoke the program by pressing Windows-U, access its About window, then click the link that accesses Microsoft's web site. The tutorial goes on to show you how to access computer files from within your browser.

Although there's an inaccuracy in the opening description of product activation (it has nothing to do with Windows Genuine Advantage), this is a handy workaround for gaining access to an "expired" PC.

Source :

Read how to HERE.

Backframe – JavaScript attack console

Backframe attack console is a full featured attack console for exploiting web browsers, web users and remote applications. The console is based on a client-server interaction.

The server, also known as the attack channel, provides functionalities for establishing bi-directional communication with remote clients. On the other hand, the console is responsible for interacting with the channel providing the necessary toolkit for launching attacks against these clients.

The result of these core principles is an easy to use and understand web-client-oriented attack framework that keep the data, the presentation layer, and the underlying logic apart. This design is known as "the separation of concerns model".

Check out the attack API project for the attack channel complete source code.

Attack console documentation is HERE.

You can try the attack console HERE.

Source :
IT Observer

Thunderbird 2.0 beta 1 Reviewed

Mozilla has released the first beta for version 2.0 of its popular email client, Thunderbird. The initial release is still a little rough around the edges, but it boasts a host of promising new features.

Read the article HERE.

Passwords getting stronger

How good are the passwords people are choosing to protect their computers and online accounts? It's a hard question to answer because data is scarce. But recently, a colleague sent me some spoils from a MySpace phishing attack: 34,000 actual user names and passwords.

Read the article HERE.

Third MS Word Code Exploit Posted

Exploit code for a third, unpatched vulnerability in Microsoft Word has been posted on the Internet, adding to the software maker's struggles to keep up with gaping holes in its popular word processing program. The attack code, available at, contains sample Word documents that have been rigged to launch code execution exploits when the file is opened.

Microsoft has not yet publicly acknowledged the vulnerability, but the United States Computer Emergency Readiness Team issued an alert to warn that Word documents can be manipulated to trigger code execution of denial-of-service attacks.

Read the article HERE.

Thursday, December 14, 2006

Boeing suffers [another] laptop identity theft

The Wall Street Journal reported 382,000 employees' records were on a Boeing laptop stolen by an unknown burglar. Also, people that have or had been retired by Boeing had their personal data thefted. Boeing, according to the Journal, said it was all very worrying. Well, it is very worrying. It makes the INQ wonder what is in the minds of corporations to leave laptops like this hanging around.

It also begs questions why giant corporations allow their employees to download data onto easily stealable notebooks. After all, Boeing is a giant aerospace combine. And has plenty of competition. Has it never heard of security? Boeing has opened up a "hot line" for concerned employees and ex-employees

Source :
The Enquirer

Once, Twice, Three Times A Loser... Wait, Make That Four

Last November, we wondered exactly why a Boeing employee was carrying around a laptop containing the names, birth dates, Social Security numbers and bank account info of 161,000 thousand current and former employees. That laptop was, of course, stolen.

Read more HERE.

Microsoft Tweaks XP Wireless Security

Microsoft last month quietly issued a long-overdue update to fix a simple yet potentially dangerous security weakness in the way embedded wireless cards work on Windows XP laptops. Open up an XP portable, and if you're looking with the right tools you'll notice the machine starts scanning for wireless networks that it recognizes.

Read the article HERE.

Windows Personal Firewall Analysis

Each firewall was tested twice against 26 leak tests - once with its default, out-of-the-box settings, and once with its highest security settings. Each firewall was then awarded an overall score derived from its pass/fail result against each test. The higher the score, the better the firewall performed against the range of leak tests. For every test the firewall passed on its default settings it gained 125 points. For those tests that the firewall failed on its default settings but passed on its highest security settings it gained 100 points. The number of tests per firewall settings is 77. Thus the maximum score is 77 * 125 = 9625 points.

Comodo [FREE] Personal Firewall out performs the "big boys" in another test.

Read the report HERE.

In November, Comodo also performed very well in a termination test. A termination, on the other side, is a direct and brutal firewall attack to disable it's security. A leaktest [like the one above] will try to bypass your firewall stealthly without attacking it, it's purpose is to hijack a trusted communication flow to go out undetected.

Wednesday, December 13, 2006

Please apply your Microsoft bandaid

Microsoft released seven security bulletins, including fixes for three critical vulnerabilities, as part of its monthly Patch Tuesday update delivered on Dec. 12.

Read more at eWeek or Security Fix.

Secunia Software Inspector - first report

From over 400,000 detected applications, the Software Inspector tagged over 35% as insecure versions! For IE 6.x users, 4.12% were insecure, which is a good sign; most people probably are aware of using Windows updates to get new IE versions.

For Adobe Flash 9.x users, over 53% were running insecure versions; a testament to both the popularity of Flash-based web content, and the lack of awareness on Flash vulnerabilities.

More than one third of Firefox 1.x users (35.47%) were found to be running vulnerable versions; while Opera users were safer, with only 13.04% running vulnerable versions of Opera 9x.

Read more HERE.

A cyber-crook's Xmas wish list

Most people will be looking forward to receiving digital cameras, games and the like - as well as the inevitable pair of socks - this Christmas. But cybercrooks can take the opportunity to splash out, angling for things such as credit card numbers and their corresponding PINs, the trade in which is booming online.

Read the article HERE.

DIY Service Pack

Looking for manageable Windows updates even without an internet connection? Our offline update 3.0 script collection downloads the entire body of updates for Windows 2000, XP or Server 2003 from Microsoft's servers in one fell swoop and then uses them to create patch packages on CD, DVD or USB stick. Those in turn allow you to update as many PCs as desired.

Have you installed Windows Windows XP fresh from the original CD and then headed over to the update website lately? If not, be ready for an unpleasant surprise. For a system running XP Service Pack 2, the website recommends that you download 60 updates at an overall data volume of around 40 MBytes. And don't forget: that number keeps growing with each Patch Tuesday, as the monthly event of new patches released each second Tuesday of the month has been dubbed.

Read the article HERE.

A first look at Firefox 3.0

Mozilla has officially released the first public alpha build of Firefox 3.0. Codenamed Gran Paradiso, Firefox 3 includes the new Gecko 1.9 rendering engine which leverages the open source Cairo rendering framework and features heavily refactored reflow algorithms that improve Firefox layout functionality and resolve some long-standing CSS bugs.

Read the article HERE.

Worms Get Smarter

The recent wave of Web worms on MySpace and other social networking sites represent a new generation of more sophisticated worms -- ones that employ the pervasive cross-site scripting (XSS) flaws found on many Websites

Read the article HERE.

Tuesday, December 12, 2006

Major breach of UCLA's computer files

In what appears to be one of the largest computer security breaches ever at an American university, one or more hackers have gained access to a UCLA database containing personal information on about 800,000 of the university's current and former students, faculty and staff members, among others.

An attacker found one small vulnerability and was able to exploit it, and then cover their tracks!
Yep - that's all it takes.

Read the article HERE.

MS Office : zero-day liability all year long?

A really critical vulnerability in Microsoft Word 2000, 2002, 2003, Mac 2004, and Viewer will not make Microsoft's patch Tuesday this week and a newly found critical vulnerability in Windows Media Player playlists will also miss the boat. The exploit code for both vulnerabilities are out in the wild and there have been attacks on the Word exploit seen in the wild. Unfortunately we most likely won't see a patch until the January patch Tuesday which is nearly 5 weeks away and Microsoft rarely issues out of cycle patches unless there is an overwhelming amount of negative press such as the WMF issue in early January of this year.

Read the article HERE.

Open Office

For those of you that are making the switch to Open Office, an excellent new book - The 2 Guidebook - has just been released.

To entice you into a purchase, the author has made available three chapters from this book as free PDF downloads.

Creating and Formatting Tables
Sorting and Filtering Spreadsheets
Creating Impress Master Pages (Backgrounds).

Download from the website HERE.

Criminals to step up "cyberwar" in 2007

Computer hackers will open a new front in the multi-billion pound "cyberwar" in 2007, targeting mobile phones, instant messaging and community Web sites such as MySpace, security experts predict.

As people grow wise to email scams, criminal gangs will exploit new ways to commit online fraud, sell fake goods or steal corporate secrets.

Read the article HERE.

Search Engines Less Risky

An updated report by McAfee shows search engine users continue to run the risk of clicking through to Web sites that can compromise their online safety. The study, conducted by McAfee SiteAdvisor, analyzed the five major U.S. search engines—Google, Yahoo, MSN, AOL and Ask—and found that although the overall chance of clicking through to a risky site fell by 12 percent, consumers click through to risky sites more than 268 million times each month.

Read the article HERE.

Vulnerability scanning for safer software

Free bug scan offered for Java apps

Code auditing firm Fortify Software announced on Monday that the company is teaming up with quality-testing project FindBugs to offer a free scanning service to any Java programmer aimed at automatically detecting quality defects and security bugs.

Read the article HERE.

New IP-App Scanning Tools

Applications vulnerability scanning specialist Mu Security released its latest testing appliance on Dec. 11, designed to find potential weaknesses residing in any type of IP-based software program.

Sold under the product name Mu-4000 Security Analyzer, the new appliance is built around the company's Adaptive Analysis technology, aimed at product developers and service providers wishing to analyze security loopholes in any program based on the IPv4 or IPv6 industry standards.

Read the article HERE.

Monday, December 11, 2006

How Much Will Windows Security Matter?

Microsoft Corp. took great pains to improve security in its newly released computer operating system, Windows Vista, redesigning it to reduce users' exposure to destructive programs from the Internet. Outside researchers commend the retooled approach -- yet they also say the changes won't make online life much safer than it is now.

Why not? Partly because of security progress that Microsoft already had made in its last operating system, Windows XP. Also because a complex product like Vista is bound to have holes yet to be discovered. And mainly because of the rapidly changing nature of online threats.

Read the article HERE. - Search Engine

No sooner had I finished my blog - a few days ago - listing 7 different search engines, and we have another contender step into the ring.. This is Google on steroids and I think many of you will be switching to this.

I'm not really sure how to describe the search experience, other than to say that it puts the normal, pathetic search box to absolute shame. I promise, you've not seen anything like it online before.

Be sure to watch the entire video.

Visit the website HERE.

Considering Hacking Constructive

"Hackers" are identified as a specific subgroup of computer workers. The history of the hacker community is told. The explicit and implicit ideologies expressed through hacking is analyzed and presented. Computer artifacts of origin both inside and outside the hacker community are compared and the embedded properties of the resulting artifacts are inferred. Hacking is discussed in the context of being a method for system development. Finally, it is argued that this system development method under certain circumstances may yield superior software artifacts.

Read the article HERE.

Will IT security be easy in 2016 or 2046?

Back in the days when this new fangled electricity thing was electrocuting people on a regular basis we were still waiting for someone to realise that protecting wires with plastic insulation sleeves might help.

These days, a story about someone discovering it's a bad idea to check for a gas leak with a match might be considered humorous. I hope that the thought of updating antivirus signatures is met with the same reaction come 2016.

Read the article HERE.

Sunday, December 10, 2006

Password Management Concerns

This two-part paper presents an analysis of the security mechanisms, risks, attacks, and defenses of the two most commonly used password management systems for web browsers, found in Internet Explorer and Firefox. The article specifically addresses IE 6 and 7 and Firefox 1.5 and 2.0. Attention is devoted to the following areas:

Read the article HERE.

McAfee Virtual Criminology Report

McAfee's second annual Virtual Criminology report sensationally claims that crime gangs are targeting academic high-fliers in much the way Soviet intelligence agencies recruited spies such as notorious traitor Kim Philby in the 1940s. The study, which we reckon might prove a plausible basis for the next Tom Clancy blockbuster, suggests that net savvy teens as young as 14 are being "attracted into cybercrime by the celebrity status of hi-tech criminals and the promise of making money without the risks associated with traditional crime".

Download the report HERE.

Software you might use

Cain & Abel v4.2 released

Cain & Abel is a password recovery tool for Microsoft Operating Systems. It allows easy recovery of various kind of passwords by sniffing the network, cracking encrypted passwords using Dictionary, Brute-Force and Cryptanalysis attacks, recording VoIP conversations, decoding scrambled passwords, recovering wireless network keys, revealing password boxes, uncovering cached passwords and analyzing routing protocols.

Read more HERE.

AVG AntiVirus Upgrade

Grisoft has announced a new version of the AVG Anti-Virus Free Edition. This new 7.5 version with improved performance and user interface is available. Users that are using AVG Free 7.1 will be provided with a specific dialog, with the opportunity to choose the right option fulfilling their needs.

AVG Free 7.1 version will be discontinued on 15th of Jan 2007.

Visit the website HERE.

New CounterSpy 2.0

This new version is a major evolution in antimalware scanning and remediation. It is basically a hybrid antispyware engine with antivirus technologies.

Visit the website HERE.

NMap 4.20 released

Nmap ("Network Mapper") is a free open source utility for network exploration or security auditing. It was designed to rapidly scan large networks, although it works fine against single hosts.

Visit the website HERE.

30 Pieces Of Free Software for Windows

What follows is a list of thirty pieces of software that are the cream of the crop of open source software for Windows. Not only is every piece of it free, almost all of them directly replace expensive software packages.

See the list HERE.

Weekend Reading

(IN)SECURE Magazine ISSUE 1.9 - December 2006

(IN)SECURE Magazine is a freely available quarterly digital security magazine discussing some of the hottest information security topics. It can be distributed only in the form of the original non-modified PDF document.

Download (IN)SECURE Magazine HERE.

How Vista Lets Microsoft Lock Users In

What if you could rig it so that competing with your flagship product was against the law? Under 1998's Digital Millennium Copyright Act, breaking an anti-copying system is illegal, even if you're breaking it for a legal reason. For example, it's against the law to compete head-on with the iPod by making a device that plays Apple's proprietary music, or by making an iPod add-on that plays your own proprietary music. Nice deal for Apple.

Microsoft gets the same deal, courtesy of something called "Information Rights Management," a use-restriction system for Office files, such as Word documents, PowerPoint presentations, and Excel spreadsheets.

Read the article HERE.

Ballmer discusses life after Vista

The much-anticipated Zune, Microsoft's portable music player entry, has received mixed reviews, and demand has been tepid. Sure, Vista made its debut, finally, last week--but only for business customers. The Windows XP successor, more than five years in the making, didn't make it into consumers' hands for the all-important holiday sales season. Ditto for Office 2007, the flagship of the company's second most-profitable product line.

CEO Steve Ballmer says he isn't worried. Read the article HERE.

Software Salesman Confesses

The first witness to testify is James Smith. See exclusive footage of Smith as he spars with commissioners. Smith starts out strong, testifying that he is “proud to be a salesman” yet over the course of several hours of grueling testimony he begins to confess the truth about his product’s failings.

Read the article HERE.

Saturday, December 09, 2006

Pirates Hack Vista's Registration Features

"This also shows how piracy is not just about kids swapping games," said Mikko Hypponen, chief research officer of F-Secure. "The only parties that would need a KMS crack would be corporations with volume licensing."

Read the article HERE.

How Much Privacy?

ComScore Networks is the Big Brother of the Internet. The widely-used online research company takes virtual photos of every Web page viewed by its 1 million participants, even transactions completed in secure sessions, like shopping or online checking. Then comScore aggregates the information into market analysis for its over 500 clients, including such large companies as Ford Motor, Microsoft and The New York Times Co.

Read the article HERE.

Microsoft fights 100,000 attacks per month

Microsoft may be the biggest target out there for hackers. Here's what the company does to protect itself from the continuous onslaught of probes and intrusion attempts. Microsoft, of course, maintains valuable intellectual property on its internal network, including the source code to all its operating systems and applications. These are constant targets for hackers, and Microsoft tries to protect its most valuable assets with defenses in depth -- they are behind firewalls and on networks segmented with IPSec. In addition, the entire network is monitored for suspicious activity, scanned for malware and so on.

Read the article HERE.

The Hot Spot Security Fable

There are instances in which hackers can grab a user's personal data. With the phishing scheme Evil Twin, for example, a fake hot spot poses as a legitimate one. Once a user logs onto the bogus site, sensitive data, such as credit card numbers or bank account information, is intercepted.

Read the article HERE.

Friday, December 08, 2006

Secure your computer now

Malformed MIMEs can bypass AV

Over on Quantenblog, they're reporting that malformed MIME attachements can, in some cases, be used to bypass email AV filtering. It works like this:

Read more HERE.

Microsoft IE DOS Vulnerability

An attacker may exploit this issue by enticing victims into viewing malicious HTML content. A proof of concept has been provided. Currently we are not aware of any vendor-supplied patches for this issue.

Read more HERE.

Acrobat flaw now on the critical list

Adobe users are being urged to upgrade their software after the firm reassessed the impact of a recently discovered vulnerability in Adobe Reader and Adobe Acrobat 7. The flaw, first discovered last month, was initially thought capable only of crashing Adobe's software. Subsequent investigation revealed the flaw also creates a potential means for hackers to run hostile code in cases where Windows users running the affected software and IE (though not other browsers) visit maliciously constructed websites.

Read more HERE.

If you insist on using Adobe Reader the latest [bug free] version 8 was released December 5th. You can download all 21MB HERE.

Or you might like to download Foxit Reader 2.0 for Windows - all 1.5Mb - HERE.

Microsoft to Ship 6 Security Bulletins

Microsoft reported on Dec. 7 that it will ship six individual security bulletins as part of its monthly Patch Tuesday update next week, with at least two of the fixes aimed at addressing critical issues in its products.

Read the article HERE.

Secunia produces free software audit tool

The browser-based program - called SecuniaSoftware Inspector - scans a PC looking for a range of applications including browsers and their plug-ins, media players, instant messaging programs, email programs, and also checks that the Windows OS is up-to-date.

This list is then compared to a Secunia database of 4,000 applications to determine if the PC has application vulnerabilities. If it has, the user can click on the insecure application from a list of those found to find more information on which version should be loaded, and a follow a link to download an update.

Read the article HERE.

SecuniaSoftware Inspector is also mentioned in the article below, but I think it deserved its own bloggage.

Security Vendors Offer Free Zero-Day Tools

Just in time for the holiday season, a trio of security applications makers released free resources aimed at helping businesses and users identify potential software vulnerabilities on their computers. To help stem the rush of so-called zero-day threats that seek to take advantage of previously undiscovered software flaws and drop malware onto users' PCs, applications vendors eEye Digital Security, Secunia and Sourcefire published new information sites and desktop scanning tools intended to help root out program glitches that could lead to future attacks.

Read the article HERE.

Microsoft to Ship 6 Security Bulletins

Microsoft reported on Dec. 7 that it will ship six individual security bulletins as part of its monthly Patch Tuesday update next week, with at least two of the fixes aimed at addressing critical issues in its products.

Read the article HERE.

US outlines privacy safeguards

The US Government signalled some willingness this week to address concerns over citizens' privacy, but also launched a scheme which will analyse secret airline passenger risk profiles and keep them for 40 years. The US Government released guidelines which it says will protect the privacy of US citizens in an era of increasing data collection and information sharing by and between Government bodies.

Read the article HERE.

Thursday, December 07, 2006

Spam Doubles

Hearing from a lot of new friends lately? You know, the ones that write “It’s me, Esmeralda,” and tip you off to an obscure stock that is “poised to explode” or a great deal on prescription drugs.

You’re not the only one. Spam is back — in e-mail in-boxes and on everyone’s minds. In the last six months, the problem has gotten measurably worse. Worldwide spam volumes have doubled from last year, according to Ironport, a spam filtering firm, and unsolicited junk mail now accounts for more than 9 of every 10 e-mail messages sent over the Internet.

Read the article HERE.

Apache SpamAssassin: Fight Spam at the Gateway

Not really a secret to most people. With the right configuration this is difficult to beat no matter how much you spend on an antispam solution.

Visit the website HERE.

ID Manager for Firefox

You’ll never forget a password again. In fact, you won’t even need to remember a password again. Sxip has developed a free online ID management plugin for Firefox called Sxipper. The extension was announced today at the Internet Identity Workshop, and the beta is available for download right now at the Sxipper website.

Read the article HERE.

Pagebull - visual Internet search engine

Public beta version. Optimized for searches from within the United States. [Don't let that frighten you - looks perfect from Down Under in Australia] Mousing over the "i" in the corner of the screenshot gives text results, mousing over the magnifying glass produces a larger screenshot of that page. The 3x4 preselected format is perfect for a 19" monitor at 1280 x 1024, but you do have the option to view at 4x3 or 2x6.

Visit the website HERE.

Search engine "overflow"

Years ago we had Yahoo [yesterdays Google - where did it all go wrong ?], Alta Vista, and my personal favourite Ask Jeeves [when it first appeared on the net - before it was neutered]. Then the Google monster arrived in town and everbody went into hiding. Now - all of a sudden, they're popping up everywhere - a new day, a new search engine. Does Google have too strong a hold on "search", or will one of these upstarts become the next King of Search ? I hear you scoff - but it happenned to Yahoo, and we all know that nothing lasts forever.

Just a few of the new offerings are :-



Ms. Dewey


GoodSearch : Powered by Yahoo, GoodSearch works just like a regular search engine, except that fifty percent of its ad-generated revenue goes to charity. If it had leveraged Google instead of Yahoo, it would probably draw many more users. Even so, consider using GoodSearch at least a few times per day.

Wednesday, December 06, 2006

Microsoft Issues Word Zero-Day Attack Alert

Microsoft on Dec. 5 warned that an unpatched vulnerability in its Word software program is being used in targeted, zero-day attacks. A security advisory from the Redmond, Wash., company said the flaw can be exploited if a user simply opens a rigged Word document.

Read the article HERE.

Social sites' insecurity increasingly worrisome

Personal web spaces on MySpace, videos on YouTube, and blogs - community sites hosting user-created content - have become increasingly popular. While the web has always been about publishing digital information, the stunning popularity of hubs for content created by the audience has attracted more people to the world of quick-and-easy publishing, but the trend has some security experts worried. This is very fertile ground for malicious coders.

Read the article HERE.