Cyber Security Bulletins July 30, 2007

The US-CERT Cyber Security Bulletin provides a summary of new vulnerabilities that have been recorded by the National Institute of Standards and Technology (NIST) National Vulnerability Database (NVD) in the past week. The NVD is sponsored by the Department of Homeland Security (DHS) National Cyber Security Division (NCSD) / United States Computer Emergency Readiness Team (US-CERT).

Read more HERE.

How to Hack IPS Signatures

Careful, that zero-day signature you just got from your IPS vendor could be used against you: Researchers from Errata Security at Black Hat USA this week will show how an attacker can easily reverse-engineer these zero-day filters that IPS (intrusion prevention system) vendors distribute, and then use them to leverage an attack.

Read the article HERE.

So many passwords, so little memory

On an average day I need to remember umpteen different chunks of otherwise useless information. I turn on my mobile phone - it needs a password. I get to work and my computer needs a password. At a former job, my computer needed two passwords, one of which had to be changed every month and could not have any characters in common with the previous month's password.

Like many people in Britain, I have two bank accounts. One needs a five-digit number and a password; the other a six-digit number and a memorable place name. I have an online savings account that needs a different password from the password for my bank account.

Read the article HERE.

Secure File Deletion: Fact or Fiction?

This paper [PDF] will deal with how and where some of these files are created and how to securely remove them from a system. Microsoft Windows operating systems and associated applications will be the main focus. This paper is divided into two main sections, the first section is designed to be a primer on the types of information that can be found on a hard drive. It is not designed to be a fully detailed data recovery/computer forensics tutorial, but is designed to show security professionals how much information can be found on a hard drive. The second section deals with the concepts behind securely deleting files and associated data from a hard drive.

Download the article HERE.

The Story of DEFCON

Jeff Moss aka Dark Tangent, the founder of DEFCON and Black Hat, tells the history of the largest hacker conference and how it all got started. Find out more about the early days of the hacking scene when dial-up was considered fast, how the security space changed around the conference as years went by, and discover some bizarre things that take place at the event.

Watch the video HERE.

Does your Computer Drive you Crazy?

Read this, and other articles at WXPNews HERE.

Black Hat 'supersizes' in Las Vegas

The 11th annual Black Hat security conference will occupy more space at Caesar's Palace this year in order to accommodate more people, more topics, and, of course, more controversy.

The conference kicked off over the weekend, starting with four days of topic-specific training, before concluding Wednesday and Thursday with two days of public sessions.

Read the article HERE.

Realtek network driver silently corrupts data

My Realtek network adapter which is one of the most ubiquitous on-board Gigabit Adapters in the world was the culprit and it had been causing me some massive grief for months and I just didn’t know it. Almost every modern Desktop Motherboard I know uses this particular on-board Gigabit adapter and I have to wonder how many millions of people are being affected by this issue and I have to wonder if this problem exists in any of the Server-based adapters from Realtek. More specifically, Realtek driver version 6.191 was the culprit.

Read the article HERE.

Security top concern for new IETF chair

Russ Housley is the first chair of the IETF with a particular expertise in network security. Housley, who runs consulting firm Vigil Security, has been active in the IETF for nearly 20 years and helped write early e-mail security and public key infrastructure standards. Three months into his job as chair of the leading Internet standards body, Housley talked with Network World National Correspondent Carolyn Duffy Marsan about his strategy for bolting better security onto the freewheeling Internet.

Read the article HERE.

Viruses, worms, botnets and hacking

Instructional videos for new computer users

Read more HERE.

Are security pros worrying about the right stuff?

These stories slipped through the cracks, but, if you missed them, take a quick look now.

When asked what they worry about, CSOs and CISOs cite regulatory compliance and security controls overlooked in IT projects. Some acknowledge a general angst that simply boils down to the great unknown of system-wide chaos.

But are security pros worrying about the right things? When asked this, many independent observers — former CSOs or consultants working with CSOs — offer a different perspective. They think security pros need to worry more about retaining the best staff and should be careful not to become too consumed with regulatory compliance

Read the article HERE.

10 critical physical security measures
Remember that network security starts at the physical level. All the firewalls in the world won't stop an intruder who is able to gain physical access to your network and computers, so lock up as well as lock down.

Read the article HERE.

The Basics of Virtual Private Networks
This document introduces the concept of a VPN – Virtual Private Network - and provides some initial insight into how these tools are used in the context of an overall security framework.

Read the article HERE.

Breaking into a VPN
VPN encryption is almost impossible to crack itself, so the best place to try to get into a VPN are the two end points. On the one hand, we have VPN gateways, a company's central dial-in point; on the other, the VPN client of mobile users, such as notebooks.

Read the article HERE.

What body part next

We are entering a dawn of new "body part" recognition era of security measures. This week I read an article about vein patterns as an alternative to finger prints. Is this a step in the right direction - or not? Or is this just a lazy way of trying to secure your information?

The traditional way - full disk encryption - is just to hard for the average home computer user. And, it seems, also the corporate world! Most people don't require full disk encryption, but even encrypting the files that hold their secure information seems to big a hurdle for most to jump. Unless their software is set to auto update, most users won't even download security patches. Why - because I think they are unaware of the consequences. Even with the increased media coverage of Identity Theft, password stealing, and other security related issues, most users just do not realise the dangers they face. They still open attachments and click on anything and everything they see.

But now they can purchase laptops with fingerprint ID, or hardware attachments for their PC that perform the same task. Easy isn't it? And what are the risks? Many of you would have read the story of an armed gang of four who kidnapped one of the world's top RPG gamers, then tortured him for a stupid game password. Yes, I know it happened in Brazil. It could never happen [insert your country's name] here. Could it?

If the stakes are high enough, so are the risks.

Hacker Alarm for Your Web Mail Box

Use a clever trick and free tools to find out if someone has been snooping into your e-mail to steal information.

Read the article HERE.

Security Via USB

Sure, most of the time PC security involves software—suites, spyware scanners, spam filters, and so on. Sometimes, however, security comes in a completely different package. Here are four wildly different examples of PC security products that plug into that versatile USB port.

Read the article HERE.

Using DBAN to totally wipe a drive

This video shows how to use Darik's Boot and Nuke (DBAN) to totally wipe a drive.

Watch the video HERE.

And you may like to look at the "Ten most recent posts" video list - with "Selective file shredding (DOD 5220.22-M) with Eraser and CCleaner to thwart forensics tools" probably being of interest to many.

Input Anchoring

The importance of input anchoring in password recognition - I recently made a discovery that shows the importance of anchoring the input when trying to match a password. By this I mean that there should be no extra characters accepted either before or after the password (i.e., no extra characters that could be part of the password). Unanchored matching greatly weakens the defense against brute forcing the password.

Read the article HERE.

Weekend Reading

Ubuntu Live: Mark Shuttleworth's keynote

The Ubuntu Live conference began yesterday in Portland Oregon with Mark Shuttleworth's keynote presentation. Shuttleworth, the Ubuntu project's charismatic leader, discussed a wide variety of topics relating to Canonical's business prospects and the future of the Ubuntu Linux distribution.

Read the article HERE.

==================================================================
Dumpster-diving for e-data

Dumpster-diving - going through trash bins in hopes of finding paper records with valuable information like customer names or future product plans - is alive and well in the age of USB flash drives and portable music players.

Take a look HERE.

==================================================================
Organized crime infiltrates financial IT

In Martin Scorsese's hit movie "The Departed," actor Matt Damon plays the part of a mole -- someone who helps his connected mob friends stay a step ahead of the cops by becoming one of the very law enforcement officials assigned to stop them.

A new report published by anti-fraud software maker Actimize on July 23 says a similar ruse is being carried out inside the walls of enterprise financial businesses, with the same employees and IT workers whose responsibility is handling and protecting sensitive information being trained and recruited by organized criminals to steal it.

Take a look HERE.

==================================================================
Top 10 Most Serious Web Application Vulnerabilities in 2007

The primary aim of the OWASP Top 10 is to educate developers, designers, architects and organizations about the consequences of the most common web application security vulnerabilities. The Top 10 provides basic methods to protect against these vulnerabilities

Take a look HERE.

==================================================================
Dearly Departed

Companies and Products That Didn't Deserve to Die : The computer industry is an unforgiving place. One slip, and today's darling becomes tomorrow's footnote, regardless of its previous track record. One lousy upgrade can be enough to do in a company, especially if a nimble-footed competitor leaps in with smart marketing and a usable product.

Take a look HERE.

==================================================================
A fool and their money are soon parted

I received an email from the son of a rich farmer in Zimbabwe recently, the poor guy is in a terrible predicament. His father has been assassinated and he has been left a $7.7 million inheritance, but he’s worried that Africa isn’t a safe place to invest the money. This is where I come in. He wants to give me 35% of the total if I invest the money for him in the UK!!

Sound familiar. Take a look HERE.

Critical flaw hits Yahoo Widgets

A 'highly critical' vulnerability has been discovered in Yahoo Widgets that could allow a remote attacker to run code on a user's PC. However, security firm Secunia, which rated the flaw as 'highly critical', said that other versions of Yahoo Widgets may also be affected.

Users can fix the flaw manually by downloading the latest update from the Yahoo Widgets website and updating the software to version 4.0.5.

Read the article HERE.

Apple frantic about Black Hat conference

With security researchers set to reveal details of a critical security flaw in the iPhone at the Black Hat 2007 conference next week, Apple Inc. now has fewer than seven days to patch a critical vulnerability in the product.

The iPhone hack is one of several disclosures planned that could lead to fireworks as more than 3,000 hackers and security professionals converge at Caesars Palace Las Vegas for the annual confab.

Read the article HERE.

BBC iPlayer beta arrives

UK residents : the iPlayer beta is here. As it announced last month, the BBC launched a large-scale beta of its iPlayer catch-up software today.

Read the article HERE.

Update: Wikia search engine's new Web crawler

Wikia's project to develop an open source search engine got another boost with its acquisition of the Grub distributed Web crawler. Wikia acquired Grub from LookSmart and released it under an open source license, adding a significant component to Search Wikia, scheduled to debut in this year's fourth quarter.

Read the article HERE.

Virtualization's New Benchmark

If you're not sure how best to configure your virtual machines for security, sit tight. The nonprofit Center for Internet Security (CIS) is about to release a security benchmark that gives you the lowdown on how to lock down your virtualized systems.

Virtualization may be convenient, efficient, and eco-friendly, but it's also a big fat security risk if you don't configure it properly. There's no guarantee your security policies will carry over to those tens of thousands of virtual servers affiliated with your thousands of physical machines. The hypervisor layer, for instance, creates a new security attack vector, and tracking moves, changes, and patching of VM machines can get out of control.

Read the article HERE.

Two Factor Authentication

I spent last night installing the latest version of AuthAnvil and RWW-Guard on our network. Between the two, we now have a far more secure environment that enforces Two Factor Authentication (TFA) for access to critical accounts and resources. Normal Windows authentication is a single factor authentication - your password.

Read the article HERE.

Escape from Vista Hell

Imagine buying a new car and having to wait six months for a set of radials that are compatible, or getting a new car stereo and discovering it can't play CDs produced before 2006. Only in high tech can companies get away with this kind of crap.

Read the article HERE.

Gmail: a short, sharp rant

I am a Gmail user and have been telling people how much better it is than Toytown free mail systems like Hotmail or Yahoo!, offering enough storage that they were able to say "never delete an email again". But the situation here was quite unequivocal. A friend rang up and said: "I sent you that email, and I've just got a message from Google saying: "A message that you sent could not be delivered to one or more of its recipients. This is a permanent error."

Read the article HERE.

Black Hat 2007: Lessons of the Estonian attacks

There hasn't been a lot of information about what happened in Estonia, but there has been a lot of commotion and discussion. Once I discuss what actually happened and how Estonia's CERT (Computer Emergency Response Team) responded to the incident, I'd like to try and address the strategic lessons learned. What worked for the defense and for the attackers? I'll discuss the impact and what could be replicated on the part of future attackers and defenders. This has been called the first Internet war.

Read the article HERE.

Throttle me this: An introduction to DPI

Imagine a device that sits inline in a major ISP's network and can throttle P2P traffic at differing levels depending on the time of day. Imagine a device that allows one user access only to e-mail and the Web while allowing a higher-paying user to use VoIP and BitTorrent. Imagine a device that protects against distributed denial of service (DDoS) attacks, scans for viruses passing across the network, and siphons off requested traffic for law enforcement analysis. Imagine all of this being done in real time, for 900,000 simultaneous users, and you get a sense of the power of deep packet inspection (DPI) network appliances.

Read the article HERE.

Newcastle council credit card file lifted

Newcastle City Council has compromised private details of up to 54,000 people who made payments to it by credit or debit card between February 2006 and April 2007.

The council said details were "inappropriately released" of transactions for "council tax, business rates, parking fines, and rent payments... other services, such as at leisure centres, tourist information centres, museums, theatres and galleries have not been compromised".

Read the article HERE.

Setting up an Encrypted Debian System

Ever since I heard that the new Debian “etch” installer supports encrypted LVM, I wanted to try having an encrypted disk. Given recent news stories about loss of identity information from stolen laptops, it is certainly not paranoid to want to do this — and if you tell me otherwise you are probably one of those guys trying to steal my identity information!

One way would have been to re-install Debian on my laptop from a Debian install CD after saving all my data — but I can already hear sarcastic clucking sounds to the accompaniment of flapping arms folded at the elbows if I even think this way. The whole point of the exercise would be lost if I have to re-configure my laptop all over again. So here goes!

Read the article HERE.

Sophos Security Threat Report

Malware not just a Microsoft problem, as Sophos reveals sharp rise in web threats, and uncovers latest trends in viruses, spyware and spam

Read the article HERE.

Mozilla to push Thunderbird out of the nest

In a blog entry written yesterday, Mozilla CEO Mitchell Baker discusses plans to create a new organizational structure for Thunderbird so that Mozilla can focus exclusively on the Firefox web browser.

Mozilla's CEO is concerned that the organization can't give Thunderbird the attention it needs without degrading its efforts to continue building and supporting the Firefox ecosystem.

Read the article HERE.

Microsoft releases rich media apps betas

This week Microsoft is quietly delivering a flurry of updates to its developer community, including the release candidate version of Silverlight, the new rich media competitor to Adobe's Flash Player. Also available for download will be a Silverlight plug-in for Visual Studio 2008 Beta 2 -- another huge hunk of bits Microsoft is making available for download this week. None of this would be complete without Beta 2 of the 3.5 version of the .Net Framework itself, also ready for downloading.

Read the article HERE.

New Tor version improves security and anonymity

The developers of the Tor anonymity service have eliminated multiple security vulnerabilities in their new version 0.1.2.15. Using the now fixed vulnerabilities listed in the release notes, attackers can potentially exploit previous versions of the software to take control of Tor computers remotely, manipulate transferred data and monitor user behaviour. One of the bug fixes provides for overall improved anonymity in the Tor network.

Read the article HERE.

UW CSE and ICSI Web Integrity Checker

Some ISPs are resorting to a new tactic to increase revenue: inserting advertisements into web pages requested by their end users. They use a transparent web proxy (such as this one) to insert javascript and/or HTML with the ads into pages returned to users.

Have you wondered how often this is happening? And whether it's happened to you?

Read more HERE.

Reverse Engineering Malware

This is an example of Really Simple Reversing of a piece of malware.
It’s written in the AutoIt scripting language and compiled to an EXE.

Read the article HERE.

TechNet Magazine - August 2007

System Center
The Microsoft family of system management solutions holds the answers to your system management needs. System Center Configuration Manager 2007 is the newest iteration, and it brings with it a whole new paradigm for managing your servers and software, rolling out major deployments, and managing configurations.

Read the magazine HERE.

Desktop Linux cannot be taken seriously

A key developer of the Linux kernel quit because he thought the operating system had been hijacked by corporate developers. He was one of the few developers who wanted to improve the kernel for desktop performance.

Read the article HERE.

McAfee sets Rootkit Detective free

On July 26 [US time - that means Friday here down under], McAfee will begin offering a new application called Rootkit Detective, designed to detect and remove dangerous rootkit attacks. The software will also help end-users ward off the threats, as well as funnel new intelligence into the company's ongoing research operations.

Following in the footsteps of SiteAdvisor -- the free Web site security program acquired by McAfee in April 2006 that warns users about potentially dangerous sites and search results -- company officials said that the new tool will be offered at no charge from its Web site via download, with benefits for both end-users and its researchers

Read the article HERE.

....and still no secure e-mail?

It still boggles me why servers don’t do a public key cryptographic handshake/connection encryption when they transmit email. It doesn’t take any new technology than what already exists. when user a logs into server A to send message to user b using email server B if they are concerned about security will use a secure connection between themself and their email server. However the security hole exists in the communication between the two email servers. if the two servers used a secure connection to transfer the email messages then the entire problem of forget password script emailing out plain text password would be mitigated.

Read the article HERE.

New Tool Automates Spam

Just when you thought you had that spam under control: There's a new, inexpensive software package out that helps spammers send out their messages -- and frequently, malware -- at record speeds.

Security researchers at Panda Labs yesterday reported that they have spotted the sale of a new tool called XRumer that promises to help spammers get their messages out to larger numbers of users in less time than ever before.

Read the article HERE.

(IN)SECURE Magazine Issue 12 released

The covered topics are:

- Enterprise grade remote access
- Review: Centennial Software DeviceWall 4.6
- Solving the keylogger conundrum
- Interview with Jeremiah Grossman, CTO of WhiteHat Security
- The role of log management in operationalizing PCI compliance
- Windows security: how to act against common attack vectors
- Taking ownership of the Trusted Platform Module chip on Intel Macs
- Compliance, IT security and a clear conscience
- Key management for enterprise data encryption
- The menace within
- A closer look at the Cisco CCNP Video Mentor
- Network Access Control

Read them HERE.

From Russia with malice

If it weren't true, it would be the script for the next Bond movie. The mission: to eliminate a man. Codename: "flyman". Elite hacker. Suspected head of the so-called "Russian Business Network", a hotbed of cyber-fraud, child pornography and malicious "bot-nets" that wreaks havoc across the internet from its St Petersburg base.

Read the article HERE.

Westpac accepts no blame in security breach

Westpac has admitted that the details of around 1,400 Virgin credit card customers were exposed last week when its system security was breached, but Australia’s fourth largest bank has washed its hands of any blame.

Read the article HERE.

VA missing IT equipment

A government audit of four U.S. Department of Veterans Affairs (VA) centers found $6.4 million worth of missing or misplaced IT equipment, according to a report released Tuesday.

The GAO also found computer hard drives being disposed containing the names, Social Security numbers, or medical histories of hundreds of U.S. military veterans

Read the article HERE.

McAfee Avert Labs Blog

The three enries in today's blog are worth a quick look.

PDF spammers already moving on to other filetypes, currently .XLS
Naughty Natalie
Apple iPhone

Read them HERE.

DNS forgery pharming attack information

There seems to be a severe flaw in BIND's implementation that allows fraudsters to efficiently predict generated random numbers without the need to control the route between the user and the DNS server. Using this vulnerability, fraudsters can remotely forge DNS responses and direct users to fraudulent websites, which can steal the user's sign-in credentials.

Read the article HERE.

Microsoft And Data Anonymization

Before it plunges into the world of third-party advertising with the $6 billion purchase of aQuantive, Microsoft is getting its privacy ducks in a row. Microsoft also followed in Google's shoes vis-à-vis announcing that it will anonymize search query data after 18 months with the permanent removal of cookie IDs, entire IP addresses or other identifiers from search terms.

Read the article HERE.

Secunia Personal Software Inspector

Secunia released the beta version of Personal Software Inspector for download, a client program that periodically checks to see if new updates have been issued for some 4,200 applications.

Read the article HERE.

Microsoft Windows Root Certificate Security Issues

In the default configuration for Windows XP with Service Pack 2 (SP2), if a user removes one of the trusted root certificates, and the certifier who issued that root certificate is trusted by Microsoft, Windows will silently add the root certificate back into the user's store and use the original trust settings. This prevents a Windows XP SP2 user from declaring a Microsoft-trusted certification authority as untrusted unless the user turns off the Windows component that controls this feature.

Read the article HERE.

Picture Your Password

Text-based passwords have become infamous for their ability to be cracked. But what if we used graphical representations that were easier for users to remember and tougher for bad guys to guess?

Researchers in Ottawa recently conducted a field study of graphical-based passwords as a possible replacement for traditional passwords, and they found that while graphical passwords are more easily recalled, many users don't like them as much.

Read the article HERE.

Cyber Security Bulletins July 23, 2007

The US-CERT Cyber Security Bulletin provides a summary of new vulnerabilities that have been recorded by the National Institute of Standards and Technology (NIST) National Vulnerability Database (NVD) in the past week. The NVD is sponsored by the Department of Homeland Security (DHS) National Cyber Security Division (NCSD) / United States Computer Emergency Readiness Team (US-CERT).

Read more HERE.

Hacking technique exploits programming error

Researchers at Watchfire say they have discovered a reliable method for exploiting a common programming error, which until now had been considered simply a quality problem and not a security vulnerability.

Read the article HERE.

Sex, Crime And Videogames

An armed gang of four kidnapped one of the world's top RPG gamers after one criminal's girlfriend lured him into a fake date using Orkut, Google's social network. After sequestering him in Sao Paulo, they held a gun against the victim's head for five hours to get his password, which they wanted to sell for $8,000. And yes, the story gets even better.

The motto of the story - to what levels are we to take security. We have all seen that great comedy Firewall, but is the scenario a feasible one that may be played out in the future. I guess if the stakes are high enough, so are the risks.

Read the article HERE.

Firefox 3 changes on show

Online magazine Techdo has managed to get its paws on a forthcoming version of Firefox 3. It seems that the Firebadger will use version 1.9 of the Gecko rendering engine – which itself hasn't been released yet - and the Cairo graphics layer.

Read the article HERE.

Fox News security hole exposes 1.5 million

A security hole on the Fox News web server Sunday exposed sensitive content to the public, including login information that allowed hackers to access names, phone numbers, and email addresses of at least 1.5 million people.

Security expert David Hutter says the Fox News mistake is an example of "sloppiness", though the hole had been patched by noon Monday. Neither Fox News nor Ziff-Davis have commented on the breach.

Read the article HERE.

Very difficult to block IE attack vector

A member of Microsoft’s Internet Explorer team says it is “very difficult” to put protections in place to block the protocol handlers attack vector exposed by the recent IE-to-Firefox code execution vulnerability.

Read the article HERE.

Video - How Password Crackers Work

We all know that password security is important and yet we still use simple passwords that can be cracked in a matter of seconds. This video clip demonstrates the power of LOphtCrack and how simple passwords can be accessed even when using the default dictionary and no rainbow tables.

Watch the video HERE.

Metasploit - Tutorials, Docs & Videos

Metasploit is a great tool, but it’s not the easiest to use and some people get completely lost when trying to get the most out of it. To help you guys out here is a bunch of links, videos, tutorials and documents to get you up to speed. You can start with this, a good flash tutorial that shows you step by step how to use it:

Read the article HERE.

Norton Ghost 12.0

Now, I won’t harp on about Ghost recovery points or how Norton 12 back-ups as nothing much has changed. Those who have used it, know, those who haven’t need to know Ghost primarily back-ups live from within the OS or hot-imaging. As I’m sure you’re more interested in what’s new as compared to the previous, just as we were.

Read the article HERE.

Security experts evaluate scoring system

A standardized and vendor-neutral system that measures IT vulnerabilities has been updated to help IT managers prioritize their response to security potential threats. The second version of the Common Vulnerability Scoring System, or CVSS v2, calculates a threat score based on a series of measurements referred to as metrics, making it the IT equivalent of the U.S. Homeland Security Advisory System, but without the colour-coded chart.

Read the article HERE.

Linux phone goes on sale

Two versions of a truly open Linux mobile phone, the Neo, have gone on web sale in the US, made by FIC of Taiwan. The site warns heavily that these phones are for developers not the general public.

Read the article HERE.

Make Windows XP last for 7 years

If you've got Windows XP, worry not -- you can keep it running on your hardware for years to come. As with an old car, though, if you plan to keep XP around for a while, you're going to have to spend some time maintaining it. Think of us as your virtual mechanics. We'll give you tips, tweaks and tricks so that you'll be able to keep XP running smoothly, at top performance, for smooth operation and long life.

Read the article HERE.

Are You Human?

Episode #101 - Leo and I explore the Internet's rapidly growing need to automatically differentiate human from non-human automated clients. We discuss the advantages and limitations of many past and current approaches to this problem while paying close attention to the most commonly used visual 'CAPTCHA' solutions.

Read the article HERE.

The Rules for Computer Forensics

The recovery of evidence from electronic devices is fast becoming another component of many the IT Manager’s remit. Electronic evidence gathered is often valuable evidence and as such should be treated in the same manner as traditional forensic evidence - with respect and care.

Read the article HERE.

Symantec Unveils Anti-Botware

It may be the start of a whole new security product category, anti-botware: Symantec will roll out Norton AntiBot, a real-time bot detection and removal software package.

Read the article HERE.

Strolling through a hacker camp's villages

Preparations for the Chaos Communication Camp to be held next month near Berlin are ongoing, despite German home secretary Wolfgang Schäuble suggesting that participation in certain training camps would be criminalised. In addition to the official schedule of lectures, the campers, who will gather in thematic villages, will also hold their own events.

Read the article HERE.

Weekend Reading

Security Monkey : security investigation stories

Over 20 fascinating stories. Grab a coffee, relax, and enjoy them HERE.

==================================================================
Are Computers Causing us to "Cocoon" Ourselves?

My preference for staying home is part of a bigger overall trend to avoid going out in public whenever possible and "cocoon" ourselves in our homes. And this trend is certainly encouraged, aided and abetted by today's technology.

Take a look HERE.

==================================================================
Trill of a Cellphone Brings the Clang of Prison Doors

A record from a T-Mobile cellphone transmission tower on the day Ms. Woods was murdered showed that Mr. Cortez called her 13 times in the hour and a half before her death, and then never again. He had told the police in a written statement that he made the calls from his home.

Take a look HERE.

==================================================================
Europeans embrace Firefox in record numbers

Firefox has made huge inroads in Europe over the past year, to the point where Internet Explorer is in danger of losing its market share lead in some countries. According to French web metrics firm XiTiMonitor, Firefox's overall market share in the 32 European countries it measures has grown to 27.8 percent.

Take a look HERE.

==================================================================
Gaming laptops are a complete joke

There is a raging debate between me and the rest of the world over gaming laptops. Most people think they are the hottest thing since sliced bread, I think they are about as dumb as you can get. It begs the question, if all of your friends said enemas were cool, would you get one?

Take a look HERE.

==================================================================
Fake Steve Jobs lashes out

The writer of The Secret Diary of Steve Jobs appeared to break character Wednesday in decrying "invasions of privacy" that have the anonymous author rattled.

Read the article HERE.

==================================================================
The desktop - time to say goodbye?

PC shipments are expected to grow 12.2% this year, portable PC volumes are expected to grow 28% and will make up more than half of all PC shipments in the U.S. this quarter. Notebooks will dominate the worldwide PC marketplace by 2010. One researcher predicts it will be five to seven years before only the "die-hard" desktop users are left.

Take a look HERE.

==================================================================
Hitachi Deskstar terabyte drive

Hard drives and similar components are never the easiest products to review, if they only have one function to do they do just that and that’s about it.

Take a look HERE.

==================================================================
Make your laptop a hot spot

If you've only got one wired ethernet connection and a room full of internet-starved laptop users, you can quickly turn your laptop into a wireless hot spot without any extra software. CNET TV has a video tutorial that demonstrates how you can turn Windows Vista, Windows XP, and Mac OS X laptops into wireless broadcasting hot spots. CNET even shows how you can add security to the wireless signal to keep intruders out. The process is painless in Vista and OS X, but requires a few steps in XP. Anyone know how to accomplish the same task in Linux? Share in the comments

Source : Lifehacker

Watch the video HERE.

Holes in Firefox password manager [Update]

The Mozilla developers have fixed a known hole in the password manager of Firefox & Co, but a door remains open for exploitation. If the user gives permission, the inbuilt password manager of the open-source browser saves passwords and enters data into the respective form fields on the user's next visit automatically. This happens not only on the page where the password was saved, but also on all other pages on this server that contain a similar form.

Read the article HERE.

Firefox Implements httpOnly And is Vulnerable to XMLHTTPRequest
I saw a few different people mention over the last few days that httpOnly has been added to Firefox 2.0.0.5. Very exciting stuff - as this has long been missing for over two years. There are some major pros and cons when using httpOnly on cookies.

Read the article HERE.

Interview with DCT - MPack developer

In June 2006, three Russian programmers started testing a collection of PHP scripts and exploit code to automate the compromise of computers that visit malicious Web sites.

A year later, the MPack kit has become an increasingly popular tool, allowing data thieves and bot masters to take control of victims' systems and steal personal information.

Read the article HERE.

Dirty e-Deeds Done Dirt Cheap

A security firm has uncovered an easy-to-use, affordable tool for making a variety of customized Trojans—from downloaders to password stealers—on sale at several online forums. The tool, discovered by PandaLabs, is called Pinch, a tool that allows cybercriminals to specify what type of password they want their Trojans to steal—be it for e-mail or system tools.

Read the article HERE.

Ask.com to offer anonymous search

Ask.com took a major step toward protecting protecting the privacy of its users when it announced yesterday that it would be launching a new tool [not on line yet] that would allow users to use its search engine anonymously. The tool, called AskEraser, will ensure that users' search records will not be retained by the company in any form for any period of time. Users will be able to set AskEraser settings in their privacy preferences, and the company says that the settings will be clearly displayed on results pages so that users will always be aware of the privacy status of their Ask.com searches.

Read the article HERE.

What search engines store about you
Many users are in the dark as to how much of their personal information is retained by search engines, how long the data is kept, and what security measures they can take.

Take a look HERE.

Open Library goes online

A competitor to Google Book Search emerges as the Yahoo-backed Open Content Alliance launches an "open library" of its own. After several years of scanning and archiving, the Internet Archive and the Open Content Alliance this week unveiled the Open Library, their attempt at bringing public domain books to the masses.

Take a look HERE.

Opera 9.2 supports BitTorrent downloads. When parsing a specially crafted BitTorrent header, Opera uses memory that has already been freed. This can result in an invalid object pointer being dereferenced, and may allow for the execution of arbitrary code. The vulnerability is triggered when the user right clicks on the transfer and removes it.

Read the article HERE.

Opera v9.22 released
Fixes the issue that could occur when removing a specially prepared torrent transfer, as reported by iDefense above. For additional information on what else is upgraded visit the Changelog for Opera 9.22

Quarterback sacked by Texas state Web site

Troy Aikman may not be happy about it, but the state of Texas has made his address and Social Security number available via the Internet. Sensitive information on Aikman, formerly a star quarterback with the Dallas Cowboys, and thousands of others is available on the Texas secretary of State's SOSDirect Web site,

Read the article HERE.

New iPhone hack

What does this hack do?
It lets you use the SIM from another Cingular/AT&T phone on your iPhone.

Read the article HERE.

iPhone 'may never be secure'
Apple's new iPhone may never be secure, according to an encryption expert who believes that the device is "too powerful". Phillip Dunkelberger, a former Apple employee and now president of encryption firm PGP, told vnunet.com that the computing power of the iPhone is so great that it will be almost impossible to protect completely.

"There are so many security issues with the iPhone, because it is not just a phone," he said. "From an IT guy's perspective it is a Linux computer with communications built in."

Read the article HERE.

Multitasking Fraudsters

I had a recent encounter with online fraud and social engineering that was unusually complex. I was selling an item on eBay. The item was brand new, and retails for $250. So, imagine my surprise when I received the email announcing the auction ended with a winning price of $395!

Read the article HERE.

'Mac worm' hacker in death threat farce

The original 15 July post on Infosec Sellout's blog, which has since been stripped of detail, said: "I wrote this for my own purposes and it will be demonstrated to those who asked me to engage in this work. Yes, I am being compensated for this (Hi, Joanna)."

Read the article HERE.

Security conferences versus practical knowledge

Since computers became mainstream in the early to mid-nineties a whole ecosystem has developed around them, in order to maintain that humble computer. The various parts of that ecosystem range from the companies who make computers to the software companies who program for them.

Read the article HERE.

Boffins nail cause of hard drive failures

Scientists at the University of California and Hitachi Global Storage Technologies have worked out what causes magnetic avalanches which cause disk drive failures.

Read the article HERE.

Facebook offers 1000 pirated Nintendo game

A new third-party application on social networking site Facebook is enabling users to play over a thousand Nintendo games for absolutely nothing. The original Nintendo Entertainment System (NES) games can be played through a web-based emulator which can be added to anyone's Facebook profile.

The ' Free NES ' application allows you to play classic games such as the first Mario games and Disney games such as Aladdin [pictured[. Our sister games site CVG says the application is "blatant piracy".

Read the article HERE.

Firefox Fixes Seven Security Holes

Mozilla has plugged multiple security holes.

Read the article HERE.

Powerful Automatic Scanning Fuzzer

Google's security team is home-brewing a powerful combination scanner and fuzzing tool. Fuzz testing, or fuzzing, is a black-box software testing technique in which malformed data is injected automatically to find implementation bugs in code. In particular, Google is targeting XSS (cross-site scripting) bugs, according to Anantharaju.

Read the article HERE.

Bill Gates Should Buy Your Buffer Overruns

Really, what is a good argument against companies paying for security exploits? It's virtually certain that if a company like Microsoft offered $1,000 for a new IE exploit, someone would find at least one and report it to them. So the question facing Microsoft when they choose whether to make that offer, is: Would they rather have the $1,000, or the exploit? What responsible company could possibly choose "the $1,000"? Especially considering that if they don't offer the prize, and as a result that particular exploit doesn't get found by a white-hat researcher, someone else will probably find it and sell it on the black market instead?

Read the article HERE.

Finding the right lock for cryptographic keys

The big cloud on the horizon for computer security is how to deal with the ever-expanding number of cryptographic keys that are vital to computer security.

Read the article HERE.

Security firms on police spyware

In a case decided earlier this month by the 9th U.S. Circuit Court of Appeals, federal agents used spyware with a keystroke logger to record the typing of a suspect who used encryption to scramble his communications. But would that government spyware used in that investigation actually be detected by security software? Or would security companies intentionally fail to report it?

To answer that question, CNET News.com performed the following survey. We asked three questions of 13 security companies, ranging from tiny ones to corporations like Microsoft and IBM, and the results are below.

Read the article HERE.


Will security firms detect police spyware?
Most of the companies surveyed, which covered the range from tiny firms to Symantec and IBM, said they never had received such a court order. Only McAfee and Microsoft flatly declined to answer that question.

Read the article HERE.

Democracy Player relaunches as Miro

The Participatory Culture Foundation has finally put Democracy Player to rest and relaunched the software under a new name with some new features. Miro picks up where the old player left off by letting users aggregate nearly any video channels they can dream up and even search sites like YouTube and Revver on the desktop.

Have been using [and recommending] this utility for some time, in conjunction with VLC media player. VLC could handle a few things that [the old] Democracy couldn't. Perhaps this will replace both.

Read the article HERE.

Critical IM bugs hit Yahoo and Trillian

Security researchers yesterday disclosed critical vulnerabilities in two popular Windows instant messaging clients, Yahoo Messenger and Trillian.

Read the article HERE.

Your Money or Your Documents

Imagine opening up the personal documents file on your computer and finding a ransom note warning you that all of your precious files will be deleted unless you wire money to cyber crooks. That's exactly what happened over the past several days to more than a thousand victims, many of them employees at U.S.-based companies and government contractors.

Read the article HERE.

Hackers steal government and corporate data

Hackers stole information from the Department of Transportation and several U.S. corporations by seducing employees with fake job-listings on ads and e-mail, a computer security firm said on Monday.

Read the article HERE.

Researcher boasts of building Mac worm

An anonymous security researcher claimed this weekend to have created a worm that exploits a vulnerability in the Mac OS X operating system which Apple Inc. missed in a May round of patches.

Read the article HERE.

Full Disclosure - data breaches campaign

Today silicon.com launches its Full Disclosure campaign with the aim of making businesses and government take data security more seriously by improving the reporting of serious information security breaches.

A number of high-profile data breaches have eroded public faith in the ability of organisations to protect sensitive personal information and only a change in the law to force companies to come clean about data breaches will restore it.

Read the article HERE.

Click-to-Call Bug Found in iPhones

A security firm is warning iPhone users not to use the Safari browser to dial telephone numbers because of a bug that could allow attackers to stick victims with a phone bill full of pricey 900-number calls.

Read the article HERE.

Yahoo Site Explorer Spider

On this page you will find a small POC (Proof of Concept) of a client-side (only JavaScript) spider that is based on the top of Yahoo Site Explorer PageData service which you can read more about from this page.

Web spiders in particular are nothing interesting. They have been with us for quite some time now and there is no point of discussing what they can do. Though, spiders are the first step towards a successful web attack.

Read the article HERE.

Cyber Security Bulletins July 16, 2007

The US-CERT Cyber Security Bulletin provides a summary of new vulnerabilities that have been recorded by the National Institute of Standards and Technology (NIST) National Vulnerability Database (NVD) in the past week. The NVD is sponsored by the Department of Homeland Security (DHS) National Cyber Security Division (NCSD) / United States Computer Emergency Readiness Team (US-CERT).

Read more HERE.

Destroying Sandboxes

One of the mechanisms used by anti-malware applications is to institute a virtual 'sandbox' to isolate suspicious files from the rest of the system while they are quickly analysed for malicious content or behaviour.

Read the article HERE.

Automating web application security testing

Cross-site scripting (aka XSS) is the term used to describe a class of security vulnerabilities in web applications. An attacker can inject malicious scripts to perform unauthorized actions in the context of the victim's web session. Any web application that serves documents that include data from untrusted sources could be vulnerable to XSS if the untrusted data is not appropriately sanitized. A web application that is vulnerable to XSS can be exploited in two major ways:

Read the article HERE.

Utility cracks Microsoft DRM

The digital rights management on Windows Media Player has been cracked again by a utility [ FairUse4WM ] that first appeared almost a year ago.

Read the article HERE.

Password Stealers targeting games

In a recent Identity Theft white paper, I made a first count and established the number increased by 250% between January 2004 and May 2006. In order to update that figure, I established some new and more accurate lists.

Read the article HERE.

Even Symbian 9 Spyware Can Get Signed

The fact that code that has malicious intentions can get through the signing process highlights the need for people to take certain precautions. For example, FlexiSpy can’t be installed remotely yet. So, if users set PINs on their device, both at startup and on the keypad lock, they can prevent its installation. It is imperative that you don’t only set the SIM PIN but also the device PIN. The reason for this is that if you rely on the SIM PIN they attacker can simply remove it, restart the device, install and then replace your SIM.

Read the article HERE.


Unlock the cell phone?
Imagine a day when you can buy the newest, coolest phone you can get your hands on - and use it on any wireless carrier's network.

Read the article HERE.

At war with the RIAA

RIAA spends thousands to obtain $300 judgment

The RIAA agrees to a judgment of $300 after suing a single mother in state-subsidized housing for file-sharing. It's a far cry from the $750 per song the record labels claimed was due them.

Read the article HERE.


Judge deals another blow to RIAA
A [US] federal judge has blocked the RIAA from doing its customary end run around the legal system to get at the identities of suspected file-sharers, ruling that the law cited by the RIAA does not provide any authority for ex parte subpoenas.

Read the article HERE.

Line between hacking and reverse engineering

Scientists are reverse engineering the galaxy. So why is it illegal to reverse engineer a DVD player or the iPhone? So how is it that the US Digital Millennium Copyright Act (DMCA) — an odious piece of lobbyist-written legislation if there ever was one — can make a crime out of reverse engineering? The DMCA circumvents laws governing copyright, patent, property and free speech by declaring unlawful the most essential right of all: the right to know.

Read the article HERE.

MSIE7 entrapment again

Microsoft Internet Explorer seems to have a soft spot for browser entrapment vulnerabilities. Just to recap, in these attacks, the user is made believe he had left a webpage (and the URL bar or SSL state data reinforce him in this belief) - but in reality, is prevented from doing so, and his browser continues to display assorted content originating from the attacker.

Read the article HERE.

Six months on Vista users still griping

Nearly six months after it launched, gripes over what doesn't work with Vista continue, eclipsing positive buzz over the program's improved desktop search, graphics and security.

Read the article HERE.

Free Tools for the I.T. Needy Professional

Gliffy - FreeConference - CrossLoop

Read the article HERE.

A Lot of Room in Its View

Vista may prove to be most appropriately named, especially for those seeking evidence of how a computer was used. But from a litigator’s perspective, the interesting point is that it keeps a lot more information—and more detailed information—about what a person does with a PC. This means lawyers can potentially discover more forensic evidence about what is on a computer and construct more detailed time lines about what was done with that information.

Read the article HERE.

The Athens Affair

How some extremely smart hackers pulled off the most audacious cell-network break-in ever. On 9 March 2005, a 38-year-old Greek electrical engineer named Costas Tsalikidis was found hanged in his Athens loft apartment, an apparent suicide. It would prove to be merely the first public news of a scandal that would roil Greece for months.

The next day, the prime minister of Greece was told that his cellphone was being bugged, as were those of the mayor of Athens and at least 100 other high-ranking dignitaries, including an employee of the U.S. embassy.

Read the article HERE.

Exploiting reflected XSS vulnerabilities

Ever since Adobe patched Flash player to stop attackers spoofing certain headers[1] such as Referer, User-Agent, etc, it has been considered impossible to exploit XSS vulnerabilities where the user input is taken from a request header, e.g. when a website prints out what User-Agent a user's browser is sending, without escaping it. With the exception of the Referer header which we can control enough to exploit XSS attacks through it.

I want to showcase several ways in which we can still exploit these vulnerabilities.

Read the article HERE.

Securifier hides your files

Securifier uses a stealth technology to hide files and folders even from prying eyes and even from the Operating System itself! That’s right: Windows can’t see them! Nobody can view your securified files and folders except you.

This is a product that we produced in work and we're looking for some feedback on it. It hides and encrypts your files in a pretty cool/intuitive way. Works very well, and works pretty fast. Works on very large files too. I'd be interested in any feedback we can get on it.

Leave feedback HERE.

Windows Home Server

Recently I downloaded the Windows Home Server Release Candidate and took it for a spin. Check out a screenshot tour of Microsoft's attempt at providing a home server setup for the masses.

Read the article HERE.

Botnet film

Great video, aimed at the novice user, that gives a great instructional guide to the dangers [malware - bots] of the internet.

Watch the video HERE.

Weekend Reading

"I've Got Nothing to Hide" and Other Misunderstandings of Privacy

In this short essay, written for a symposium in the San Diego Law Review, Professor Daniel Solove examines the "nothing to hide" argument. When asked about government surveillance and data mining, many people respond by declaring: "I've got nothing to hide." According to the "nothing to hide" argument, there is no threat to privacy unless the government uncovers unlawful activity, in which case a person has no legitimate justification to claim that it remain private. The "nothing to hide" argument and its variants are quite prevalent, and thus are worth addressing. In this essay, Solove critiques the "nothing to hide" argument and exposes its faulty underpinnings.

Take a look HERE.

==================================================================
How to Beat a Security Audit

Nobody passes a security audit on the first try. You might have your access control process fixed, but you probably haven't adequately trained your administrators on how to manage it. You might have your configuration and change control systems in place, but you probably haven't sufficiently documented the process for using them. If you've adopted strict security policies, your users likely have found a way of avoiding or bypassing them altogether.

Make no mistake - auditors will find fault with your systems, your processes, and the people who operate them. They're auditors. It's their job.

Take a look HERE.

==================================================================
Second open Linux phone goes on sale

Another fully open-source-based phone went on sale on Monday, offering developers the chance to build their own mobile Linux applications. The Neo1973 is the first mobile phone to be designed to run the open-source operating system OpenMoko.

Take a look HERE.

==================================================================
The ABCs of learning online

Like many 7- and 8-year-old girls online, Emily and Kayla Strickland are regulars to Barbie.com and the virtual world Webkinz. But much to their mom's delight, the sisters also have been longtime fans of Starfall, an educational Web site whose star is quickly rising among parents, teachers and kids as young as 2 years old.

Take a look HERE.

==================================================================
Top 15 Ways to Extend Your Laptop’s Battery Life

Number 14 is my favourite - who woulda thunk?

Take a look HERE.

==================================================================
Security theatre

Steve Riley of Microsoft is a controversial figure. Some believe he's a hacker and others that he's a social engineer. Having argument with him is very difficult. Steve's got great mind and unique aility to inspire people, get them thinking about information security. Recently I have read about security theater in his newsgroup posting, in response to suggestion to rename Administrator account as a security measure:

Take a look HERE.

==================================================================
The most exciting boring job ever

What do you get when you combine CSI Miami with a reality TV called Who Wants to be an Accountant? Although it has little to do with dead bodies and murder mysteries, there is plenty of excitement to be had in the world of forensic accounting. Welcome to the most exciting boring job ever!

Take a look HERE.

==================================================================
Google in Colorado safe cracking caper

It's true. Google can help with anything. Minutes before they operned several locked safes at a "family fun center" in Colorado Springs, a team of masked bandits sat down at a nearby PC and Googled "safe-cracking."

Take a look HERE.

==================================================================
Online Gaming's Seamy Underside

You're playing an online game in which players are warriors who can only walk, jump, or run. Suddenly, another player appears out of nowhere, draws his sword, and hacks you to bits.

Game over. But were you really beaten by a superior player? Or did a hacker or cheater simply rig the game? A new book that will be published tomorrow suggests that in the gamers' world, the cheaters often win.

Take a look HERE.

==================================================================
Mac OS X with 100 bugs still safer than Windows?

Apple has plugged around 100 vulnerabilities in OS X so far this year but the malware threat to Mac customers is "insignificant" compared to users of Microsoft Windows.

Take a look HERE.

Sun says Java flaw has been patched

Sun Microsystems says a Java security threat, the subject of an earlier Australian report, has been patched. Sun on Friday released a new version of Java SE 6 Update 2 that it says addresses all current vulnerabilities.

Read the article HERE.

Software Vulnerability Auction Stokes Researchers

Brian Krebs on Computer Security : I held off in covering this important story because I wanted to gauge the level of interest from members of the security research community. Today, washingtonpost.com ran a story I wrote that presents some of their reactions to the new service.

Read the article HERE.

Bug Brokers: eBay-like Bug Site Doomed
eWeek News Analysis: The key problem with eBay-like auction site Wabisabilabi is that you can't reveal details about a vulnerability without tipping off researchers on how to find it.

Read the article HERE.

All Online Data Lost After Internet Crash

Breaking News: All Online Data Lost After Internet Crash...

Watch the video HERE.

Hackers We Love

Here are our picks of some of the hackers—there are many more—whose work serves as a crucial security warning beacon for enterprises. They conduct their research in the face of threatened lawsuits and publish their results, often to be criticized for "irresponsible disclosure." They teach us how to code better, where new classes of exploits will come from and what questions to demand that vendors address.

Read the article HERE.

Perspective: Is an antivirus gap looming?

I was recently out with friends from the antivirus industry. They work as analysts for a major firm, and we were talking about our respective views on malicious code. I left the conversation disappointed and frustrated at the increasingly blind host-based antivirus world.

Read the article HERE.

What could you make from an iPhone?

If you take apart the components of an iPhone, piece by piece, it's surprising what you can make when putting the pieces back together. Since the iPhone's June 29 launch, we've seen several teardown reports--some from professionals, some demonstrating more enthusiasm than skill, and some that are just awful (but funny).

Read the article HERE.

675,000 more names on stolen data tape

The number of people affected by missing state data more than doubled with today's announcement that Social Security numbers and other information for nearly 675,000 additional taxpayers, former state workers and state vendors was on a backup computer tape stolen from a state intern's car.

Read the article HERE.

Bootable disc eliminates viruses

A computer science researcher has developed a secure software application intended to bypass the problem of viruses altogether. The software, tentatively called BOSS (Bank on Secure System), was designed with the home user in mind and is limited to specific applications that involve sensitive transactions, such as electronic banking.

Read the article HERE.

QuickTime Mends Eight Flaws

Apple has released a new version of its ubiquitous QuickTime player for both Mac OS X and Microsoft Windows computers. The latest version, v. 7.2, plugs at least eight security holes in the software.

The new QuickTime also unlocked full-screen video, a feature that previously was available only in the $29.99 QuickTime Pro premium edition.

Read the article HERE.

The Rise of Antiforensics

New, easy to use antiforensic tools make all data suspect, threatening to render computer investigations cost-prohibitive and legally irrelevant. Now, for every tool forensic investigators have come to rely on to discover and prosecute electronic crimes, criminals have a corresponding tool to baffle the investigation.

This is antiforensics. Read the article HERE.

Crime dramas in Internet-land

Security news lately is starting to sound like an episode of CSI these days. Death, muggings, theft rings, racketeering, rogue phone taps... it’s the juiciest of evening news fodder! It’s been said a million times, but it bears repeating: The internet is very much the new “Old West”. We’re in a state of almost total lawlessness, because we have not yet found efficient ways to find and bring criminals to justice.

Read the article HERE.

Old Flaw Threatens Web 2.0

An old bug is rearing its ugly head again -- and this time, it could spell trouble for not only Internet users, but for corporate intranets as well. The so-called "DNS pinning" vulnerability -- sometimes called DNS rebinding -- has researchers worldwide scrambling to figure out ways to protect Web users and corporate networks.

DNS pinning is a browser technology that is designed to tie a single IP address to a single domain. Ironically, it was developed as a security precaution to help prevent malicious servers from hijacking HTTP sessions. But now researchers have discovered some pretty scary -- and shockingly easy -- anti-DNS pinning attacks, a few of which will be revealed and demonstrated at Black Hat next month.

Read the article HERE.

The perfect attack against your security?

A socially engineered e-mail, which contains a Trojan file that exploits a zero-day vulnerability and then hides behind a rootkit, might be the perfect attack and impossible to defend against.

Read the article [and watch the video] HERE.

Military Files Left Unprotected Online

Detailed schematics of a military detainee holding facility in southern Iraq. Geographical surveys and aerial photographs of two military airfields outside Baghdad. Plans for a new fuel farm at Bagram Air Base in Afghanistan.

The military calls it "need-to-know" information that would pose a direct threat to U.S. troops if it were to fall into the hands of terrorists. It's material so sensitive that officials refused to release the documents when asked.

But it's already out there, posted carelessly to file servers by government agencies and contractors, accessible to anyone with an Internet connection.

Read the article HERE.

At the bottom of the above article there is a link to "FTP Is Simple but Open to Leaks" - also an interesting read.

A freebie - for us down under

eEye Digital Security today announced that its award winning Blink Personal Edition will be available for download. Consumers in the Asia-Pacific region can now download a 365-day free trial version of Blink Personal Edition.

Blink Personal is the first Internet security solution to build multiple protection layers into a small, single agent that transcends the typical 'bloatware' of today's client security. It protects users' systems and personal information with...

Read the Press Release HERE.

FireFox 3 aims to make phishing harder

A new alpha build of Firefox 3 introduces a new URL-highlighting feature intended to make phishing attempts less fruitful. Getting users to notice what's going on in their address bars may prove challenging, however.

Read the article HERE.


Firefox 3 Beta 1 delayed
Performance regressions and the need for extra time to work on the front-end have compelled Mozilla to rework the Firefox 3 roadmap. Expect to see Alpha 7 at the end of this month instead of Beta 1.

Read the article HERE.

How to use Google for fast P2P

An instructional video posted to YouTube has been offering a primer on how to use Google to nick music and video files in less time than it takes to download them from a P2P site.

The Financial Times says that Ruska's formula worked at Yahoo and other search engines.

Read the article HERE.


Advanced Google searches with Google Hacks

Free open-source app Google Hacks is a GUI-based query builder designed to help you find free media on the web. Google Hacks is split into five sections so you can easily search Google for free music, books, video, product keys, and tools.

Read the article HERE.

Microsoft Launches Threat Portal

Microsoft now has its own security threat and research portal: The software giant this week quietly launched version 1 of its new Malware Protection Center Portal.

Read the article HERE.


Windows Live OneCare 2.0 goes into public beta
OneCare 2.0 beta is finally available for the public to test.

Visit the website HERE.

Zero-Day Hits IE-Firefox Combo

Security researcher Thor Larholm has discovered a [Highly critical] zero-day vulnerability that could lead to remote attackers hijacking systems running both Internet Explorer and Firefox. Larholm is calling this an IE zero day, blaming the vulnerability on an input validation flaw in Internet Explorer that allows users to specify arbitrary arguments to the process responsible for handling URL protocols. It's the same type of input validation vulnerability that Larholm discovered in the Safari 3 beta.

Read the article HERE.

Microsoft Plugs 11 Software Holes

Microsoft Corp. today pushed out software updates to plug at least 11 separate security holes in its Windows operating system and other software. Four of the vulnerabilities earned a "critical" rating from Redmond, it's most severe. Microsoft labels flaws "critical" if they can be exploited remotely with little if any help from the user.

Read the article HERE.