Sunday, November 08, 2009

German Big Brother Award - Companies & Privacy

Each year a committed of privacy experts determines the companies that have actively profited and supported the privacy breaches (so called legal ones or border line ones). This year, according to Heise Online, the price for the worst offender actually went to not only one company but a large number of companies:

- Quante Netzwerke for the development and sale of programs that allow for storage of network information of Internet users also known as "Lawful Interception".

- Utimaco Safeware for its "Data Retention Suite".

- Datakom-subsidiary GTEN for its outstanding work in eavesdropping technology.

- Syborg a company specialized in telephone recording and analysis.

- DigiTask for the development of a Trojan (malicious code) that can be used to eavesdrop on Skype conversations.

- Secunet because of selling/providing their "Sina-Box" to each telecom recording facility that the German government has in place.

- Cisco for its excellent work in deep packet inspection that allows for continued monitoring of information even with increasing Internet traffic.

- Trovicor, a Spin-Off from Nokia Siemens Networks (NSN), which delivered surveillance software to the Iran.

Read more: German Big Brother Awards(English)

1SSA - Security Consulting, Training and Products

Sunday, November 01, 2009

HHS issues an interim final rule on HIPAA enforcement

On October 30th the US Department of Health & Human Services issued a interim final rule to strengthen the enforcement of the Health Insurance Portability and Accountability Act (HIPAA). This was necessary due to the The Health Information Technology for Economic and Clinical Health (HITECH) Act, which modified the HHS Secretary’s authority to impose civil money penalties for violations of the HIPAA act occurring after Feb. 18, 2009. These HITECH Act revisions significantly increase the penalty amounts the Secretary may impose for violations of the HIPAA rules and encourage prompt corrective action.

Prior to the HITECH Act, HHS could not impose penalties of more than $100 for each violation or $25,000 for all identical violations. A covered health care provider, health plan or clearinghouse could also bar the Secretary’s imposition of a civil money penalty by demonstrating that it did not know that it violated the HIPAA rules. Section 13410(d) of the HITECH Act strengthened the civil money penalty scheme by establishing tiered ranges of increasing minimum penalty amounts, with a maximum penalty of $1.5 million for all violations of an identical provision. A covered entity can no longer bar the imposition of a civil money penalty for an unknown violation unless it corrects the violation within 30 days of discovery.

Do you have checks in place that ensure you are in compliance? It is common practice and required by NIST SP 800-66 to actually have regular checks in place.

Contact us, we can help: contact@1ssa.net

Read more:
HHS announcement

1SSA - Security Consulting, Training and Products

Sunday, October 25, 2009

UK healthcare records sold in India

According to an ITV show (just viewable in the UK - see link below for short transcript) medical records of UK residents are sold on the black market in India. The service offered is very sophisticated, even promising to break down information based on disease categories.

Besides the ethical part of this, there are various other reasons that make me want to ask the US government to heavily regulate electronic medical records and not go the usual approach of having the market determine what is good for the companies offering the service...or was it the patient? Looking back I guess I am not the only one that has that confused.

Read more: ITV article, Pete Finnigan's blog

1SSA - Security Consulting, Training and Products

Monday, October 12, 2009

Sidekicks and a Danger-eous Cloud

I think we have our first major cloud incident and nobody knows how to handle it. T-Mobile customers in the United States using Sidekick devices might not be the biggest fans of T-Mobile's approach of handling data with cloud computing. T-Mobile has outsourced it's Sidekick services to a company called Danger, which is owned by Microsoft. Sidekick devices heavily use the network and offside storage. The network storage devices used to store Sidekick data at Danger are manufactured by Hitachi.

Microsoft, Hitachi, and T-Mobile all big names but the information that leaked out does not show much professionalism. Hitachi was tasked to update Danger's network storage devices. According to an Engadget article, without a data backup or a working back-out plan that update went quite wrong. Some of the data stored by T-Mobile's Sidekick users has been deleted.

Even days later the overall system is still not stable and T-Mobile advises individuals to not turn-off their devices. Even sales of Sidekicks are on hold.

I guess cloud computing is in Danger.

Read more at:
Engadget
New_york Times

1SSA - Security Consulting, Training and Products

Thursday, October 08, 2009

Trojan forging bank statements to cover traces

This is getting way too "perfect". Now malware was discovered that re-writes bank online statements on the fly, covering traces of illegal bank transactions. By doing this, criminals have more time to route the money and hide it. This new Trojan seems to be using a server in the Ukraine for control. First victims were spotted in Germany, with damages up to 300,000 Euros (approximately $400,000) in just 22 days.

You can read more at: Wired article


1SSA - Security Consulting, Training and Products

Friday, October 02, 2009

Wifi security problems - Just paint!

This was just a question of time till a company would come out with it and here it is: A paint that stops radio-waves which are used for wireless Lan (WLAN/WIFI). The same goes for cell phone and other radio waves used in modern mobile devices. For the electrical engineers: The paint claims to block radio waves up to 100 GHZ. So what exactly does that mean? An additional layer of security that can be introduced, to prevent someone to access your wireless network. You can paint the outside facing walls of your home or office with this special paint and nobody can pickup the radio waves from inside anymore...that actually also means nobody can use a cordless phone anymore when outside the home. So you might want to reconsider the paint and configure your wireless access point/router to use WPA2, the latest security standard for wireless devices. Is it a 100% assurance that nobody can break into your wireless network? Unfortunately the answer is No. Attacks that use so called rainbow tables containing precomputed keys that are used for the encryption and authentication of the wireless traffic and devices are the latest attacks, besides the usual attacks that go after flawed implementations of the wireless protocol with certain vendors. Maybe the paint is not such a bad idea but keep in mind that windows cannot be painted...

Read more at: BBC News, Wikipedia - Rainbowtable

1SSA - Security Consulting, Training and Products

Saturday, September 26, 2009

Ants attacking malicious code (or the slow death of antivirus tools II)

Three researchers are working on a new method of detecting malicious code. The approach is basically based on mimicking ant behavior. So far it is in a development stage but has already identified a worm that was purposely introduced into a network of computers. The so called digital ants depend on agents so called "sentinels" installed on each machine, which in report back to so called "sergeants" on the network that are monitored by humans.

According to an article on Physorg.com the system only works in large networks where computers have the same build. Which means: If an "ant" sees a deviation from the standard build it will alert others to inspect what it could be. Just that it does not happen in real-time. Most infections require to act fast (i.e. a keyboard logger are sending your credit card data across as you type). Also the number of ants is concerning...the researches already planning on having 3,000 different type of ants. Is this another signature based approach?

Again a technology that only works in large networks/clouds. What about the typical corporation that has a sales force with laptops that randomly connects to check just email?

Here is the article - Ants vs worms: New computer security mimics nature

1SSA - Security Consulting, Training and Products

Tuesday, September 22, 2009

The slow death of antivirus tools

I think by now everyone using a computer that is somehow connected to the Internet is using an antivirus/Internet security/Spyware/etc. solution. No matter which one you choose they all are based on signatures to recognize malicious code entering your system. Those signatures need to be updated on a regular basis, to keep up with the known malware out there. You wonder why "known"? An antivirus company needs to have a sample of the malicious code to produce a signature. Which means Zero-day malicious code cannot be recognized by the program. Also if you do not update the signatures, the antivirus tool might not catch the latest known malicious code (e.g a virus or a worm) since you are lacking the signature. Let's summarize this and take a closer look:

First of all the malicious code needs to be already known and identified as such before your software can do anything about it. Most vendors incorporate so called heuristic analysis routines into their programs but they are usually so sensitive that most users turn them off (some vendors even have them turned off by default!) or do not react at all. Fact is that the industry has failed to provide a reliable heuristic scan solution so far.

Second those programs do not reliably identify all the viruses they "know". There is not one program out there that has recognized 100% of all the malicious code that is out there in the wild, even having all signatures installed. This is quite disturbing but a reality.

I am sure everyone has complaint about his/her computer being slow or flaky. Ever thought that this might be because of the antivirus program you are running? Reality is that those programs have hooks into all kinds of system calls and are constantly checking memory and files for malicious code. All this costs performance and your time. Unfortunately the signature based checks can only work that way.

Which brings me to the third point, the number of signatures has increased so much that each year the antivirus vendors set a new record in pushing out new signatures.

So what is the point? The point is that all these malicious code programs are dieing a slow death, the death of too many signatures to check in the time available.

Some of the vendors have realized that and are already turning to solutions that utilize the "cloud" (see cloud posting in this blog) and that way recognize infected files that way. But what happens to the people that are offline for an extended time? I guess they might be out of luck.

Here is some further reading:
Antivirus tools compared August 2009

1SSA - Security Consulting, Training and Products

Tuesday, September 15, 2009

Erasing HD: One time is enough?

For decades I have heard about HDs needing to be overwritten several times before being discarded. All to avoid someone from being able to retrieve information from that HD. It seems that we have been a little too paranoid. At least that is what Craig Wright, Dave Kleiman, and Shyaam Sundhar three forensic experts say in a White Paper they published.

According to the White Paper the chance of getting a Bit back the correct way is only 56% (which is close to flipping a coin). As a result the chance to reconstruct a Byte correctly is only 0.97%! You can imagine how this looks like for even a file in the Kilobyte range.

1SSA - Security Consulting, Training and Products

Tuesday, August 25, 2009

What is cloud computing?

Having listened to Google, having done my reading I am still not clear on what cloud computing is for each of the companies offering it. I guess it depends on who you talk to and how they define the cloud and what cloud computing offering they have for you. Most of us Internet oldtimers remember that the Internet was the original cloud. It took care of things e.g. routing. But are all the cloud offering taken care of e.g. security? Privacy and security seem to be still at an immature state.

Now NIST has taken on the challenge of helping with the definition of "cloud computing" and has drafted a document. I guess the next step is to define a standard for cloud security or at least some common APIs.

Background material:
NIST Cloud computing

1SSA - Security Consulting, Training and Products

Infected websites on Google &Yahoo



We all (or at least the majority of us) use Google and Yahoo to search the Internet - "Just google for it" has become the answer to most questions that cannot be answered. This is something that many hackers are using now to infect computers with malware (virus, bots, worms, etc).

The latest case now has over 64 thousand (see pictures, click to enlarge) websites that contain a so called "Iframe" (a reference to another website in a section of the page, that gets displayed) which points to a web server that tries to infect your computer.

Nowadays googling for something and clicking on a search result can easily result in malware infections. Counting on your Anti-Virus/Spyware tools to catch the attack is a gamble that you might loose. Most of the sites use zero-day (or close to 0 day) exploits for browser vulnerabilities. Microsoft sometimes needs months to fix such issues.

On the other hand organizations need to show more due diligence in patching such holes. It is part of the TOC of your Internet presence.



Some background information:
Mass infection turns websites into exploit launch pads
Free Antivirus Software
A grim day for browser security at hacker contest

1SSA - Security Consulting, Training and Products

Saturday, August 22, 2009

SMS based 2-factor authentication not that secure?

There is a push to get away from token based two factor authentication (for the not security savvy folks: Tokens are the little things that displays numbers and are used to login to your bank or work account). Using your cell phone (for the non-US readers: mobile phone) instead seem to be a general trend. Many companies are now offering SMS based two factor authentication, using your cell phone as a secure device to provide you with a code.

How does it work? A text message (SMS) is send to your cell phone containing a code. Once received, you simply need to type it when trying to log into your account online.

The idea sounds brilliant. Cutting down the cost by not buying the expensive token devices. And as an extra benefit, no clunky device on your key chain

But as always the devil is in the details. Is a cell phone really that secure? The GSM standard that has been the predominant technology worldwide for quite some time, with core developed taken place quite some time ago. At that time some compromises were made when it came to security, simply to shave of some of the costs.

Also in some of the more "regulated" countries the encryption, that is offered with the GSM standard, is not used (e.g. Pakistan). Other Operators like "Eltasel", a mobile operator in the United Arab Emirates, seem to have their own idea of privacy and security. According to several news articles Eltasel tried to install malware on its customers Blackberries to snoop on them. It is suspected that Eltasel was serving the local government when doing this but it is still not clear.

Another development of interest is that suddenly certain cell phone models are increasing in price on the 2nd hand market. A German Nokia 1100 handset supposedly went for 25K Euros in the Netherlands. Rumors have it, that those handsets can be used to intercept SMS messages. Currently an investigation into the technical details are pending but if it is possible than it is just a question of time before other models might come in demand with even bigger flaws.

All in all this does not look too good if you ask me. Cell phones were designed for voice calls and security even for that has been lacking. But now we are trying to use this platform for way more, a secure communication device that allows us to log into critical systems. If you ask me, I think we have a little bit to go before there is a clear trust model on channel and end-point security with mobile devices in general.

Some background reading:

25K Euros for an old Nokia
Handset makers the criminal's friend
Eight accused in AT&T, T-Mobile $22m ID theft scam


1SSA - Security Consulting, Training and Products

Friday, August 21, 2009

Ameriprise website security: Fly-by-night operation

Ameriprise one of the larger financial investment companies did not patch major security flaws on their investment site for at least five months. Russ McRee notified Ameriprise financial several times but none of his emails were answered. The flaws Mr. McRee discovered allowed even lesser skilled attackers to exploit those vulnerabilities and ultimately bring customers/users of Ameriprise at risk. One of the flaws allowed for sending Ameriprise customers bona fide links to the Ameriprise website that opened pages that intermingled counterfeit content with legitimate text and graphics.

I can only think of one case that tops this "fly-by-night" operation and this is with ISH/UnityMedia a cable company in Germany, that actually replied to emails complaining about Spam coming from their network with the comment "Just configure your Anti Spam software, this is not our problem".

Seems like irresponsibility is on the rise.

Read the article: Security bugs crawl all over financial giant’s website

1SSA - Security Consulting, Training and Products

Wednesday, August 19, 2009

Radisson joining the club of credit card victims

Today, August 19th, Radisson Hotels put up an open letter addressing its guest that stayed at their chain between November 2008 and May 2009. The letter is to notify guests about a security breach that exposed credit and debit card information. According to the letter just some hotels have been involved in this incident but the letter does not specify which ones.

As usual free credit monitoring for a year is offered. I wonder who came up with this idea, to let organizations off the hook so cheaply. It is well known in the security industry that credit card information is not used immediately and sometimes stored/traded for years before being used.

If this year continues like this close to every credit card owner in the United States has free credit monitoring for at least a year, or maybe even double and triple monitoring for a year.

Read the letter:
Radisson's open letter

1SSA - Security Consulting, Training and Products

Monday, August 17, 2009

Data of over 130 Million Credit Cards stolen

This year will become a record breaking one for sure. Albert Gonzalez a man who already is jailed on charges of hacking into major retail computer networks has been indicted a third time for allegedly stealing data on a record number of credit and debit cards.He is accused of stealing data involving 130 million (yes the number with 6 zeros) credit cards. Some of them being used at stores like 7-Eleven stores and other well known chains.

According to Prosecutors Gonzalez is charged along with two co-conspirators identified only as "Hacker 1 and Hacker 2, both of Russia." They allegedly moved the data to computer servers operating in California and Illinois, and overseas in Latvia, the Netherlands and Ukraine.

What is "entertaining" to me is that he could be also fined up to $500,000...which he can probably pay with credit card, question is who's card?

Article in the Guardian

1SSA - Security Consulting, Training and Products

Sunday, August 16, 2009

111,000 bogus Antivirus products found in Q1 2009

According to Pandalabs more than 111,000 bogus antivirus (or other anti-malware tools), so called scareware, have been discovered in the first quarter of 2009. This is more than what was discovered in 2008 in total!

Before downloading and using a tool that claims to check and remove a virus it is advisable to do a check against one of the white lists, to see if the vendor is reputable. Otherwise the tool might infect the computer that it has been installed on.

Here is a link to a whitelist page: Antivirus Vendor Whitelist

1SSA - Security Consulting, Training and Products

Saturday, August 15, 2009

eVoting - Not ready for prime time

I find the idea of eVoting kind of appealing but on the other hand scary. With so many security problems that we have with our regular IT systems, I am not sure how secure eVoting can be made. I monitored for a while the email threads on the various security blogs and it seems that some security researcher had quite some fun with eVoting systems.

Here are some interesting articles:
- Voting machine hack costs less than $100K
- Sequoia e-voting machine commandeered by clever attack
- Can DREs provide long lasting security?


1SSA - Security Consulting, Training and Products

Wednesday, August 12, 2009

Cookies for the feds?

That the Obama administration is taking on hot topics is nothing new. This time it is the cookie ban that the federal government has in place now for over 9 years. Since 2000 the federal government has banned so called "tracking cookies" with government websites. This has caused quite some pain for web application developers and other groups wanting to use those. Now the Obama administration has proposed a revised version of this ban, making it a three tiered approach. This seems to now cause the American Civil Liberties Union some pain and it is opposing the new approach.

Read the online article.

1SSA - Security Consulting, Training and Products

Tuesday, August 11, 2009

US government cybersecurity bigwigs leaving

According to the Register two key people of president Obama's cyber security staff left over the 5 months.

In March, Rod Beckstrom, resigned as head of the National Cyber Security Center. He headed an office within the Department of Homeland Security that is responsible for coordinating the defense of civilian, military, and intelligence networks. According to the article there was quite some frustration on Mr. Beckstrom's side regarding the funding of responsibilities of his office.

Last week then Mischel Kwon submitted her letter of resignation. She was the director of the Department of Homeland Security's U.S. Computer Emergency Readiness Team. Again the

According to the Washington Post Kwon, who was the fourth US-CERT director in five years, was frustrated with bureaucratic obstacles and a lack of authority to fulfill her mission.

According to the Post also the lead White House cyber security official, Melissa E. Hathaway, is going to step down next week.

What is going on with the nation's cyber security? I must say I have not been impressed so far with the approaches that the nation has been going to secure some of the nation's most critical infrastructure. But those resignations make me believe we might have had the right people but they could not execute.

Here are the articles:
Mischel Kwon article
Rod Beckstrom article

1SSA - Security consulting, training and products: http://www.1ssa.net

Analysis on Twitter DDoS

As I already had suspected, the attacks on Twitter were politically motivated. People seem to not learn. This just results in the target becoming a martyr. In the case of last weeks DDoS attacks on Twitter and Facebook it is a Pro-Georgian blogger going by the name of Cyxymu.

F-Secure and McAfee each have put together an analysis that can be read here:
F-Secure
McAfee

1SSA - Security consulting, training and products: http://www.1ssa.net

Friday, August 07, 2009

Updated: Twitter taken down by distributed denial of service attacks

After a series of complaints from foreign entities and groups Twitter finally became the target of a distributed denial of service attack (DDoS). Somehow that was just a question of time before that happened: If you can't get the people to shut up than you go after the medium they use to communicate. Twitter is currently operating normal but the DDoS seems to be ongoing according to Twitter's official blog.

Update: Rumors say that a massive wave of spam using Twitter brought it the service to it's knees, not a planned DDoS attack.
Update2: It is now confirmed that it was a DDoS attack on a particular account - see post from 08/11/09

Link to Twitter's official blog: http://status.twitter.com/post/157191978/ongoing-denial-of-service-attack

1SSA - Security consulting, training and products: http://www.1ssa.net

Tuesday, August 04, 2009

Hacking the hacker - fake ATMs in Las Vegas

During Defcon and Blackhat several ATMs (Automated Teller Machines, for the non-US readers) were discovered that were not dispensing any money but charging the account of the user. Strangely that happened at the same time when Defcon and Blackhat, some major hacking events took place.

Read more at: http://www.pcworld.com/businesscenter/article/169473/security_analyst_las_vegas_atms_may_have_malware.html


1SSA - Security consulting, training and products: http://www.1ssa.net

Friday, July 31, 2009

Hacking for free parking

San Francisco has been working on a computerized parking meter system for some time. Based on smart cards it should collect parking fees via a smart card. It just looks like that this is not working that well. I am sure most Europeans that know about the Chaos Computer Club, which has been doing a lot of research in that regards are not surprised. What do we learn out of this: Smart cards are not a silver bullet...or if they are then you better know where to aim before shooting yourself in the foot.

Read the full article at: http://www.networkworld.com/news/2009/073009-meter-hackers-find-free-parking.html

1SSA - Security consulting, training and products: http://www.1ssa.net

Thursday, July 30, 2009

US government's latest computer monitoring program

It is nothing new that government's spy on their own people. Not only in the countries that are having a quite different opinion of what democracy is and how it should be implemented but also in other's that normally pride themselves as one of the first one's to implement it.

The US government has been asked to provide more details about the new version of Einstein, a computer program that works at the Telecom level gathering and analyzing data as it passes through the Telecoms' backbones. Version 3 of the Einstein program has raised quite some disturbance with the Center for Democracy and Technology (CDT), which suspects that the new version gathers many privacy related information.

Read the full report at: http://www.cdt.org/security/20090728_einstein_rpt.pdf

1SSA - Security consulting, training and products: http://www.1ssa.net

Recording your ATM PIN via the power cable

Two researches from Italy have developed a new form of Skimming (for the people that are not so security lingo savvy - skimming refers to an attack where an attacker eavesdrops the information that you are entering e.g. PIN and your ATM card information). This new attack uses the power line to determine which buttons you pushed on an ATM. Another attack they presented shows how the vibration of a notebook could be recorded and analyzed to replay what was typed.

Their presentation is available at: http://www.blackhat.com/presentations/bh-usa-09/BARISANI/BHUSA09-Barisani-Keystrokes-SLIDES.pdf

1SSA - Security consulting, training and products: http://www.1ssa.net

Monday, July 27, 2009

Microsoft to issue critical patches out of band

Normally Microsoft does stick it patch schedule but this time the vulnerabilities are so critical that MS announced some patches to be issued early next week.

Read what the Washington Post has to say: http://voices.washingtonpost.com/securityfix/2009/07/microsoft_to_issue_emergency_p.html?wprss=securityfix
1SSA - Security consulting, training and products: http://www.1ssa.net

Network solutions had major security breach - CC data exposed

Over a 3 month period hackers could collect as many as 500,000 credit and debit card information after Network Solutions' e-commerce service was hacked and a software planted to eavesdrop on transactions. According to Network Solutions that came forward last Friday the eavesdropping took place between March 12th and June 8th.

Network solutions processes credit and debit card transactions for over 4,343 merchants.

Read the full story at http://www.theregister.co.uk/2009/07/25/network_solutions_ecommerce_breach/

1SSA - Security consulting, training and products: http://www.1ssa.net

Monday, July 13, 2009

Microsoft's Office Web Component vulnerable

Our integrated world provided by Microsoft...Microsoft announced that there are exploits available that are using a flaw in Microsoft office web component that can be exploited through (you guessed it) Internet Explorer. A tool to disable this functionality, till it is fixed, is available here: http://support.microsoft.com/kb/973472

1SSA - Security consulting, training and products: http://www.1ssa.net

Saturday, July 11, 2009

German health-card project at risk due to PKI problems

This is kind of entertaining because it is part of the 101 of PKI, key management. according to Heise, one of the larger publisher of IT magazines in Germany the root key of the CA has been lost. As a result no more health-cards signed by the CA or even revocation of existing health cards can be done. At least this is just the initial trial of this large project, which would mean that nearly every German citizen has a health card signed by that root CA.

According to Heise online, Gematik the company in charge commissioned D-Trust, a subsidiary of the Bundesdruckerei (Mint), to act as the root CA for the health card PKI.

Heise online interviewed Matthias Merx, the firm's managing director, following a voltage drop, "something unusual happened" (comment: whatever that means??) in the D-Trust's "Trustcenter" and the HSM independently deleted the data because it suspected an attack.

Comment: Good job - just like old times when you had your Cyanide capsule.

Read the full article at: http://www.h-online.com/security/Loss-of-data-has-serious-consequences-for-German-electronic-health-card--/news/113740

1SSA - Security consulting, training and products: http://www.1ssa.net

ATM security, no not the network, the money machines

I think we all use those wonderful ATM machines to get cash from our bank accounts. Who would go to a teller if it is more convenient to just punch in our four digit PIN and get money. The biggest fear we have is that maybe someone is behind us stealing our PIN and ATM card or robbing us after we got the cash...seems like that a gentleman from Juniper had done some research on ATM security and found a way to actually get around the security measures. His talk was expected at Blackhad/Defcon in Las Vegas later this month. It seems that Juniper actually asked him to pull that presentation due to the high impact of what he has to say. We will keep you posted.

Read the full article at: http://www.scmagazineus.com/Juniper-pulls-researchers-Black-Hat-ATM-talk/article/139402/?DCMP=EMC-SCUS_Newswire

1SSA - Security consulting, training and products: http://www.1ssa.net

Tuesday, July 07, 2009

Microsoft Security Advisory: Vulnerability in Microsoft Video ActiveX control could allow remote code execution

Business as usual...this time an Active X control that can be used to remotely execute code on a Windows machine. No patch available just a work around, this time from Microsoft, which seems to understand how critical this one is.

Find the workaround at: http://support.microsoft.com/kb/972890

1SSA - Security consulting, training and products: http://www.1ssa.net

Sunday, July 05, 2009

New MI6 chief on Facebook

This is kind of funny and kind of shocking but then again it is real life. Here is Sir John Sawers, the upcoming MI6 chief (I am sure I do not need to explain to Bond fans what that stands for, but for the ones that wonder what MI6 stands for: It is the British secret service) and his wife is posting on Facebook all kinds of personal information that you normally do not want the public to have.

Read the full article at: http://www.mailonsunday.co.uk/news/article-1197562/MI6-chief-blows-cover-wifes-Facebook-account-reveals-family-holidays-showbiz-friends-links-David-Irving.html

1SSA - Security consulting, training and products: http://www.1ssa.net

Friday, July 03, 2009

Microsoft Update Quietly Installs Firefox Extension

We could call it business as usual for Microsoft or simply another irresponsible move of Microsoft to dominate the browser market. According to various sources, and confirmed by 1SSA, Microsoft has pushed a .Net update that automatically installs an add-on in Firefox that allows for silent(!) installation of code from the web. Some people made a choice to use Firefox because the people creating it prevented this feature. Now Microsoft just installs it without any consent from the user.

Read more here: http://voices.washingtonpost.com/securityfix/2009/05/microsoft_update_quietly_insta.html?wprss=securityfix

Here are instructions on how to de-install it (for sure):http://annoyances.org/exec/show/article08-600

1SSA - Security consulting, training and products: http://www.1ssa.net

Hackers crack ColdFusion - Drive-by download attack hits multiple hosts

Time to finally upgrade or at least apply some patches if you run an older version of Cold Fusion on your servers. According to SANS the number of infected hosts is going up by the hour.

Read more: http://isc.sans.org/diary.html?storyid=6715

1SSA - Security consulting, training and products: http://www.1ssa.net

Latin Best Buy surfers sprayed by drive-by download malware

This is really bad. A major website that the whole nation is going to once in a while has a malware download problem. I am sure Best Buy's management has some words for its website and security teams, which I believe are both outsourced to a major outsourcing company here in the US.

Read more about it at: http://blog.trendmicro.com/gumblar-invades-best-buy/#ixzz0KBzplb8I&D

1SSA - Security consulting, training and products: http://www.1ssa.net

iPhone crashing bug could lead to serious exploit

As cool as it is the Iphone, the more I read about it the more I am disappointed by some of the features it offers. I was for example not aware that it could not execute multiple applications at once, or at least Apple did not allow for it. So far people are still waiting for a tethering option, which seem to be coming soon. And all those poor people that chose not to use AT&T as provider and got locked out by Apple's patch. And now a simple SMS can crash the whole device. I think Apple needs to adjust a bit here...this hype over the Iphones is only going to last as long as it is special....I only say Starbucks. After that it is just a phone that needs to be fixed ;-)

Read the full story at: http://www.theregister.co.uk/2009/07/02/critical_iphone_sms_bug/

1SSA - Security consulting, training and products: http://www.1ssa.net

Thursday, July 02, 2009

Clear the company pre-screening frequent fliers stopped operating

I always though who is doing this, who is paying $199 a year for this privilege of bypassing normal airport security? According to a CSO article 260,000 individuals were part of the program paying each. This is $52M a year...not enough I guess to operate. Clear, the company providing the service has declared that it cannot longer operate the service. Interesting aspect, and nothing new for security professionals, the "data life cycle" for the data collected (e.g. Iris scans, finger prints, etc.) is not clear. Does Clear delete all data or maybe sell it to a competitor?

Read the full article at: http://www.csoonline.com/article/496471/Lawsuit_Seeks_Refund_for_Clear_Subscribers

1SSA - Security consulting, training and products: http://www.1ssa.net

Tuesday, June 30, 2009

Guilty Plea: Blind Hacker Admits Harassment, Eavesdropping, Fraud

Not necessary something the neighbors want to see, a SWAT team storming into your house. But I guess for some people that was funny till now.

Read the full article here: http://www.wired.com/threatlevel/2009/01/guilty-plea-bli/

1SSA - Security consulting, training and products: http://www.1ssa.net

Trojans are fastest-growing data-stealing malware

This is nothing new but it seems that the current approaches are not really getting this problem under control, trjans stealing information of computers.

Read the full article here: http://www.scmagazineus.com/Trojans-are-fastest-growing-data-stealing-malware/article/139252/

1SSA - Security consulting, training and products: http://www.1ssa.net

Britney Spears Twitpic account hacked

A vulnerability in a third-party service through which users post photos to their Twitter profiles allowed hackers on Sunday to falsely report that Britney Spears had died.

Read the full article at: http://www.scmagazineus.com/Britney-Spears-Twitpic-account-hacked-to-post-fake-death-notice/article/139250/

1SSA - Security consulting, training and products: http://www.1ssa.net

Sunday, June 28, 2009

Michael Jackson's death exploited by cybercriminals

Michael Jackson's death exploited by cybercriminals
Always quick to capitalize on major headlines, spammers have begun sending out messages related to the deaths of Michael Jackson and Farrah Fawcett, security researchers said.

Read the full article here:
Michael Jackson's death exploited by cybercriminals

We are on Twitter - http://www.twitter.com/1ssa

We are now also on Twitter, for the really busy people that do not even have time to read the RSS, Blog or Newsletter version. Take a look at www.twitter.com/1ssa

1SSA - Security consulting, training and products: http://www.1ssa.net

Q2 security highlights

Business as usual I would say...

Q2 security highlights
President Obama's cybersecurity speech was the most notable information security event from the second quarter of 2009, security vendor F-secure said in its quarterly threat summary. The most notable threats from March to June included the Conficker worm, Twitter attacks, and PDF exploits. Conficker, in particular, "proved to be the most significant malware outbreak in recent years," F-Secure said. — AM

Read the full article here:
Q2 security highlights

FTP login credentials at major corporations breached

This article was sent to you by: fsiepm@yahoo.com

Message:

Who knows what else has been working under the cover for years...

FTP login credentials at major corporations breached
A trojan has reportedly been uncovered that is harvesting FTP login data of major corporations, including the Bank of America, BBC, Amazon, Cisco, Monster.com, Symantec and McAfee.

Read the full article here:
FTP login credentials at major corporations breached