Safari update cages numerous security bugs - The Register - Security

12 March, 2010 04:11 PM
Code inject and info flaws fixed

Apple published an update of its Safari browser on Thursday that plugs 16 security vulnerabilities.…

SSD tools crack passwords 100 times faster - The Register - Security

12 March, 2010 02:42 PM
Ultra brute force attack

Password-cracking tools optimised to work with SSDs have achieved speeds up to 100 times quicker than previously possible.…

More Hollow Coins - Schneier on Security

12 March, 2010 12:58 PM
A hollowed-out U.S. nickel can hold a microSD card. Pound and euro coins are also available. I blogged about this about a year ago as well....

McAfee inadvertently speeds creation of Metaploit IE exploit pack - The Register - Security

12 March, 2010 12:09 PM
Unsanitised blog laid exploit hunt clues

A security researcher has credited McAfee for helping him to develop exploit code that cracks open an unpatched flaw in older versions of Internet Explorer.…

Turkey cuffs 23 'militant' hacker suspects - The Register - Security

12 March, 2010 10:03 AM
PKK s'kiddies

Turkey has arrested 23 hackers suspected of links with the outlawed Kurdistan Workers' Party (PKK) and attacks on government websites.…

Securus Global Roles - Beast Or Buddha

12 March, 2010 07:22 AM

We’re looking for people again. Check out the role advertisement. If you think you fit the role description and want to join one of the region’s best and fastest growing security companies, give us a yell.

Just a note: while we are open to overseas people applying, and we have recruited OS before, having a work visa or the like for Australia is preferred.

———————————————————————————————-
Securus Global: IT Security, Penetration Testing, Security Assessments, PCI Compliance, Product Assurance, QualysGuard, Security Strategy, Vulnerability Assessment.

Sarah Palin to testify in email hack trial - The Register - Security

12 March, 2010 06:02 AM
After Yahoo! breach 'paralyzed' Veep campaign

Former Republican vice presidential candidate Sarah Palin will testify in person against the college student accused of breaching her Yahoo mail account and leaking some of its contents online, according to published reports.…

What is your recession sales strategy?

Risky Business #143 -- Cloud computing and the history of electricity - Risky Business

12 March, 2010 05:40 AM
Tagline: 
Are your electron-tubez cloudy?
Content Headers
Content Length: 
20720130
Content Type: 
audio/mpeg

On this week's show we're having an extended chat with our good mate Greg Shipley.

Greg's best known as the CTO of Chicago-based information security consultancy Neohapsis, and he'll be joining us to talk about what was on the agenda at the RSA conference. Apparently it's cloud, cloud, cloud... but what does that actually mean, mean, mean? Greg will be along soon to discuss, he's always good.

read more

TSA worker tried to sabotage terror database, feds say - The Register - Security

11 March, 2010 11:59 PM
One week after losing job

A former data analyst for the US Transportation Security Agency has been accused of trying to sabotage a terrorist screening database used to vet people with access to sensitive information and secure areas of the nation’s transportation network.…

Microsoft plants Bing on Google-free Chinese Androids - The Register - Security

11 March, 2010 10:37 PM
Google apps 'postponed' on China carriers

Motorola will soon push Microsoft's Bing search engine onto Android phones in China, after announcing an alliance with the Redmond software giant that will see Bing appear on Androids across the globe.…

The power of collaboration within unified communications

One-third of orphaned Zeus botnets find way home - The Register - Security

11 March, 2010 08:04 PM
Cyber security's short-lived victory

The takedown of 100 servers used to control Zeus-related botnets may be a short-lived victory, security researchers said after discovering that about a third of the orphaned channels were able to regain connectivity in less than 48 hours.…

Case Study: WhatsUp keeps Legoland turnstyles ringing

Wikibooks Cryptography Textbook - Schneier on Security

11 March, 2010 06:26 PM
Over at Wikibooks, they're trying to write an open source cryptography textbook....

Using Parameter Pollution and Clickjacking to Aid Anti-CSRF Bypass - ha.ckers.org web application security lab

11 March, 2010 05:06 PM

It’s been a while since I’ve talked about Clickjacking, with only a few exceptions here and there. Mostly because I haven’t seen it much in the wild - at least not yet. But there’s still a lot of research out there to be done. I got an interesting email the other day that talked about a way to use parameter pollution (or a mix of URL parameters and POST) to create a condition where you can defeat CSRF tokens:

The technique, found by Lava Kuppan describes a scenario where a mix of CSRF, parameter pollution and Clickjacking can defeat CSRF tokens in JSP and (sometimes) in ASP.NET. It’s worth a read. I did briefly mention using CSRF to pre-populate fields that may be necessary to create a Clickjacking scenario during Jeremiah and my brief talk at the world OWASP in New York. But this takes it to a new level, where you can pre-load information in such a way that it will actually defeat the application logic in the process. Anyway, cool stuff by Lava.

Koobface gang refresh botnet to beat takedown - The Register - Security

11 March, 2010 04:32 PM
Twitter scourge changes pants

Command and Control servers associated with the infamous Koobface worms have gone through a complete refresh over the last fortnight. Russian net security firm Kaspersky Lab reckons the change up might be aimed at making takedown efforts by cybercrime fighters more difficult.…

Estonian DDoS revenge worm crafter jailed - The Register - Security

11 March, 2010 01:35 PM
Infection still spreading

An Estonian virus writer has been jailed for two and a half years for creating a Windows worm family that launched denial of service attacks on the websites of a local insurance firm and ISP.…

Tories on cyber war: Waffle, mutter, waffle. Um, vote for us! - The Register - Security

11 March, 2010 12:22 PM
'Computers. Clicking, typing. Email. I could go on'

Tory peer and shadow security minister Baroness Pauline Neville Jones has set out her party's thoughts on cyber war and defence. Unfortunately once the waffle is stripped away there's pretty much nothing there.…

Password reset questions dead easy to guess - The Register - Security

11 March, 2010 12:18 PM
Your pet's name is Poochie? You're pwned

Guessing the answer to common password reset questions is far easier than previously thought, according to a new study by computer science researchers.…

Wanted: Trust Detector - Schneier on Security

11 March, 2010 12:17 PM
It's good to dream: IARPA's five-year plan aims to design experiments that can measure trust with high certainty -- a tricky proposition for a psychological study. Developing such experimental protocols could prove very useful for assessing levels of trust within one-on-one talks, or even during group interactions. A second part of the IARPA proposal might involve using new types of...

Bogus Playstation emulators pack Trojan payload - The Register - Security

11 March, 2010 10:49 AM
'Will be around for a long time'

Retro gaming fans are being targeted in a new con designed to infect computers with a Trojan linked to scareware scams.…

PayPal restores Cryptome for real - The Register - Security

11 March, 2010 10:28 AM
Now go away

PayPal has finally made good on its pledge to restore Cryptome's account many hours after the firm's head of global communications told Register readers it had already done so.…

Zeus botnets suffer mighty blow after ISP taken offline - The Register - Security

10 March, 2010 11:23 PM
One quarter of C&C channels vanish

At least a quarter of the command and control servers linked to Zeus-related botnets have suddenly gone quiet, continuing a recent trend of takedowns hitting some of the world's most nefarious cyber operations.…

Offloading malware protection to the cloud

Nose Biometrics - Schneier on Security

10 March, 2010 07:47 PM
Really: Since they are hard to conceal, the study says, noses would work well for identification in covert surveillance. The researchers say noses have been overlooked in the growing field of biometrics, studies into ways of identifying distinguishing traits in people. "Noses are prominent facial features and yet their use as a biometric has been largely unexplored," said the University...

Google boss says something will happen in China 'soon' - The Register - Security

10 March, 2010 07:20 PM
Eight weeks and counting

Google CEO Eric Schmidt has reiterated that the company is currently in negotiations with the Chinese government over its future in the country - despite the Chinese government's claims to the contrary - and he expects some sort of development "soon".…

Case Study: WhatsUp keeps Legoland turnstyles ringing

Cryptome: PayPal a 'liar, cheat and a thug' - The Register - Security

10 March, 2010 04:10 PM
Account still restricted

"PayPal is a fucking liar, a cheat and a thug," says Cryptome operator John Young. The eBay-owned payment service closed the Cryptome account last week, with over $5,000 of donations intended for Young in limbo.…

UK plastic fraud losses fall for first time in 3 years - The Register - Security

10 March, 2010 01:21 PM
Online banking losses up though

A rise in online banking fraud losses took some of the shine off the overall fall in debit and credit fraud in the UK last year.…

The Limits of Identity Cards - Schneier on Security

10 March, 2010 01:09 PM
Good legal paper on the limits of identity cards: Stephen Mason and Nick Bohm, "Identity and its Verification," in Computer Law & Security Review, Volume 26, Number 1, Jan 2010. Those faced with the problem of how to verify a person's identity would be well advised to ask themselves the question, 'Identity with what?' An enquirer equipped with the answer...

Twitter adds filter to cut phishing lines - The Register - Security

10 March, 2010 12:46 PM
Every twt.tl bit helps

Twitter has tightened up security procedures in order to curtail phishing attacks against users of the micro-blogging service, which have become rampant over recent weeks.…

Max Clifford takes £1m to drop hack probe - The Register - Security

10 March, 2010 09:29 AM
Kiss and don't tell

Celebrity publicist Max Clifford has agreed to accept a £1m plus payoff in exchange for dropping phone hacking allegations against the News of the World.…

Suburban woman accused of using net to recruit terrorists - The Register - Security

10 March, 2010 07:02 AM
Feds cuff JihadJane

A suburban Pennsylvania woman who went by the online alias JihadJane used the internet to recruit Islamic terrorists and to plot the assassination of a Swedish cartoonist who depicted the Prophet Mohammed, according to a federal indictment unsealed Tuesday.…

Fraud-prevention service ponies up $12m for 'false' ads - The Register - Security

09 March, 2010 11:17 PM
Agrees to safeguard customer data

An Arizona company that sells services designed to prevent identity theft has agreed to pay $12m to settle charges it oversold their effectiveness and didn't adequately protect sensitive customer data.…

It's official: Adobe Reader is world's most-exploited app - The Register - Security

09 March, 2010 08:33 PM
The new Microsoft

Adobe's ubiquitous Reader application has replaced Microsoft Word as the program that's most often targeted in malware campaigns, according to figures compiled by F-Secure.…

New Internet Explorer code-execution attacks go wild - The Register - Security

09 March, 2010 07:08 PM
IE 6 and 7 users targeted

Online thugs are exploiting a security bug in earlier versions of Internet Explorer that allows them to remotely execute malicious code, Microsoft warned on Tuesday.…

What is your recession sales strategy?

Marc Rotenberg on Google's Italian Privacy Case - Schneier on Security

09 March, 2010 06:36 PM
Interesting commentary: I don't think this is really a case about ISP liability at all. It is a case about the use of a person's image, without their consent, that generates commercial value for someone else. That is the essence of the Italian law at issue in this case. It is also how the right of privacy was first established...

March 2010 Security Bulletin Release - The Microsoft Security Response Center (MSRC)

09 March, 2010 06:02 PM

Today we are releasing two Important security bulletins addressing eight vulnerabilities in Windows and Microsoft Office. Both bulletins have an aggregate Exploitability Index rating of “1” so we recommend that customers deploy these updates as soon as possible. The Microsoft Exploitability Index provides additional information to help customers prioritize deployment of monthly security bulletins. A summary of today’s security updates can be found on the Microsoft Security Bulletin webpage.

MS10-016 addresses one vulnerability in Windows Movie Maker. Both Windows XP and Windows Vista ship with affected versions (2.1 and 6.0 respectively). Version 2.6 is also vulnerable and can be freely downloaded and installed from the web. Customers who install 2.6 on any supported platform, including Windows 7, will be offered the update. In order to take advantage of the vulnerability, a user would need to open a specially crafted Movie Maker project file. These are files with the .mswmm file extension.

The MS10-016 bulletin also calls out Microsoft Producer 2003 in the affected products list. Producer 2003 is a free download with limited distribution. At this time, we are not offering an update for Producer 2003. Our standard approach is to produce updates that can be deployed automatically for all affected products at the same time but Producer 2003 does not offer a means for automatic update. Based on our investigation, we determined that the best way to protect the vast majority of customers was to release an update addressing the components that shipped with Windows. While we continue to investigate Producer 2003, we recommend that customers either uninstall the application or apply an available Microsoft Fix It to disassociate the project file type from the application to add an extra layer of security.

MS10-017 affects all currently supported versions of Microsoft Office Excel. It also affects Office 2004 and Office 2008 for Mac, the Open XML File Format Converter for Mac, supported versions of Excel viewer and SharePoint 2007. As with most Office vulnerabilities, a user would have to open a specially crafted file in order to be exploited.

Since both of today’s bulletins require user interaction, we give them both a “2” on our deployment priority scale:

Our Severity and Exploitability Index slide offers additional guidance to help customers prioritize this month’s bulletins:

In the following video, Adrian Stone and I give a brief overview of today’s bulletins:

Get Microsoft Silverlight More listening and viewing options:

Today we also re-released MS09-033 to add Virtual Server 2005 to the affected products list. Customers who have already installed the update for affected products do not have any additional actions.

Additionally, we continue to to monitor the threat landscape around Security Advisory 981169 regarding a vulnerability in VBScript that could allow remote code execution. We are not currently aware of any active attacks but encourage customers to review the advisory and apply the suggested workarounds where possible. Customers that are running Windows 7, Windows Server 2008, Windows Server 2008 R2, and Windows Vista are not affected.

Please join us tomorrow for a public webcast where Adrian Stone and I will go in to detail on these bulletins and answer customer questions with the help of the engineers who worked to produce them so please plan to join us.

Date: Wednesday, March 10
Time: 11:00 a.m. PST (UTC -8)
Registration: http://msevents.microsoft.com/CUI/EventDetail.aspx?EventID=1032427711

Thanks!

Jerry Bryant
Sr. Security Communications Manager Lead

*This posting is provided "AS IS" with no warranties, and confers no rights.*

Security Advisory 981374 Released - The Microsoft Security Response Center (MSRC)

09 March, 2010 04:28 PM

Hi everyone,

Today we released Security Advisory 981374 addressing a publicly disclosed vulnerability in Internet Explorer 6 and Internet Explorer 7. Internet Explorer 8 is not affected by this issue. Customers using Internet Explorer 6 or 7 should upgrade to Internet Explorer 8 immediately to benefit from the improved security features and defense in depth protections. Additionally, Internet Explorer 5.01 on Windows 2000 is not affected.

 

At this time, we are aware of targeted attacks seeking to exploit this vulnerability against Internet Explorer 6. Internet Explorer Protected Mode in Internet Explorer 7 running on Windows Vista helps to mitigate the impact of this issue. Additionally, Internet Explorer on Windows Server 2003 and Windows Server 2008 runs in a restricted mode that is known as Enhanced Security Configuration. This mode sets the security level for the Internet zone to High. This is a mitigating factor for Web sites that you have not added to the Internet Explorer Trusted sites zone. Please review the Security Advisory for additional workarounds which include modifying the Access Control List (ACL) on iepeers.dll (the affected component), setting the Internet and local Intranet security zones to "high", configuring Internet Explorer to prompt before running Active Scripting, and enabling Data Execution Prevention (DEP) where possible which makes it difficult to successfully exploit the vulnerability.

 

As always, we are investigating this issue and will take appropriate action to protect customers when we have finalized a solution. This may include providing a solution through our monthly security update release process, or an out-of-cycle security update, depending on customer needs.

Anyone believed to have been affected can visit: http://www.microsoft.com/protect/support/default.mspx and should contact the national law enforcement agency in their country. Those in the United States can contact Customer Service and Support at no charge using the PC Safety hotline at 1-866-727-2338 (PCSAFETY).  Additionally, customers in the United States should contact their local FBI office or report their situation at: www.ic3.gov. Customers should follow the guidance in the advisory and our Protect Your PC guidance of enabling a firewall, getting software updates, and installing antivirus software (learn more by visiting the Protect Your PC web site). International customers can find their Regional Customer Service Representative http://support.microsoft.com/common/international.aspx.

We are also working with our Microsoft Active Protections Program (MAPP), the Microsoft Security Response Alliance (MSRA), authorities and other industry partners to help provide broader protections for customers. Together with our partners, we will continue to monitor the threat landscape and will take action against any web sites that seek to exploit this vulnerability.

The Security Advisory will be updated with any new developments so if you are not already subscribed to our comprehensive alerts, please do so in order to be alerted by email when new information is added.

Please review the advisory for additional details and if the situation changes, we will provide an update here on the MSRC blog.

Jerry Bryant
Sr. Security Communications Manager Lead

*This posting is provided "AS IS" with no warranties, and confers no rights.*

FA launches security probe after England team bugged - The Register - Security

09 March, 2010 04:20 PM
Lancaster Gate-gate

Reported attempts to sell recordings of conversations between England squad players and coaches have sparked a security breach investigation at the FA.…

Smartphone app botnet experiment blows up a storm - The Register - Security

09 March, 2010 03:37 PM
WeatherFist shows phone vulnerability, devs claim

Security researchers fooled nearly 8,000 iPhone and Android users into joining a mobile smartphone "botnet" under the guise of installing an apparently innocuous weather app.…

Guide to Microsoft Police Forensic Services - Schneier on Security

09 March, 2010 12:59 PM
The "Microsoft Online Services Global Criminal Compliance Handbook (U.S. Domestic Version)" (also can be found here, here, and here) outlines exactly what Microsoft will do upon police request. Here's a good summary of what's in it: The Global Criminal Compliance Handbook is a quasi-comprehensive explanatory document meant for law enforcement officials seeking access to Microsoft's stored user information. It also...

Why is “Commander” still allowed to do business? - Beast Or Buddha

09 March, 2010 11:56 AM

This is a dodgy operation who went bankrupt and did not pay their bills but somehow still exist under the same name?

http://www.commander.com/

Stay away from them. Weird they exist.

Vodafone ships Mariposa-infected HTC Magic - The Register - Security

09 March, 2010 10:56 AM
Android phone comes riddled with bots

Updated Vodafone has been blamed for shipping Mariposa botnet malware and other nasties on a HTC Magic Android smartphones it supplied.…