Slashdot Mirror

← Back to Domains

Domain: securityfocus.com

Stories and comments across the archive that link to securityfocus.com.

Stories · 365

  1. Blizzard's Warden Thwarted by Sony's DRM Rootkit

    Yro · Privacy · · posted by CmdrTaco · from the why-openness-matters dept. · 418 comments
    shotfeel writes "First, news of Warden -a bit of code from Blizzard's WoW to trounce game cheats. Then, a Sony rootkit to make your computer safe for music. Now, news that you can use the Sony rootkit to make your game cheats safe from the Warden."

  2. Banks to Use 2-factor Authentication by End of 2006

    It · Security · · posted by samzenpus · from the proof-positive dept. · 313 comments
    Evil Grinn writes "As reported on Yahoo and elsewhere the Federal Financial Institutions Examination Council (FFIEC) has given a deadline of end-of-year 2006 for U.S. banks to implement two factor authentication."

  3. Heap Protection Mechanism

    It · Security · · posted by Hemos · from the protecting-ourselves dept. · 365 comments
    An anonymous reader writes "There's an article by Jason Miller on innovation in Unix that talks about OpenBSD's new heap protection mechanism as a major boon for security. Sounds like OpenBSD is going to be the first to support this new security method."

  4. No Defense Against Windows Rootkits?

    It · Security · · posted by CmdrTaco · from the bend-over-and-take-it dept. · 510 comments
    An anonymous reader writes "Spyware bad guys (and also phishing people) started using rootkits technology to stay hidden in a system. The problem is that at the moment the technology to defend a Windows system from these things is very poor. In fact antivirus companies have just started adding basic anti-rootkits technology. So the problem is serious, and well outlined by this question: Is the closed source code of Windows preventing us from actively defending our systems?"

  5. Skype Security and Privacy Concerns

    It · Security · · posted by Zonk · from the conversations-can-hurt dept. · 128 comments
    CDMA_Demo writes "Scott Granneman at Security Focus is discussing the security and privacy issues thanks to eBay's acquisition of Skype. Says the help section on Skypke's website: 'Skype uses AES (Advanced Encryption Standard), also known as Rijndael, which is used by U.S. Government organizations to protect sensitive, information. Skype uses 256-bit encryption, which has a total of 1.1 x 1077 possible keys, in order to actively encrypt the data in each Skype call or instant message. Skype uses 1024 bit RSA to negotiate symmetric AES keys. User public keys are certified by the Skype server at login using 1536 or 2048-bit RSA certificates.' Scott Granneman debates that since Skype is owned by eBay and is closed source, we have no way of verifying this claim. Further, from the article: 'At the CyberCrime 2003 conference, Joseph E. Sullivan, Director of Compliance and Law Enforcement Relations for eBay, had this to say to a group of law enforcement officials: 'I know from investigating eBay fraud cases that eBay has probably the most generous policy of any internet company when it comes to sharing information.' This raises interesting questions about how Skype and eBay together will try to avert cyber criminals from using security flaws in either system to their advantage.'"

  6. Dealing With Laptops in a Business Network?

    Ask · Business · · posted by Cliff · from the portable-intrusion-vectors dept. · 106 comments
    lanimreT asks: "Notebooks are a large problem for IT managers. They carry viruses and other malware back into the network and are less reliable than desktop PCs for more than one reason. Yet, every employee MUST have one for his job. How have other IT managers dealt with the various problems that notebooks create?"

  7. Honeymonkeys Discover Undisclosed Vulnerability

    It · Microsoft · · posted by CmdrTaco · from the bug-hunting-is-dangerous-work dept. · 140 comments
    spafbnerf writes "Securityfocus is running an article on Microsoft's honeymonkey project, previously covered on Slashdot. In early July 2005, this project discovered its first exploit for a vulnerability that had not been publicly disclosed, the JView profiler vulnerability which Microsoft announced later that month. "

  8. Code Auditing the Defcon Way

    It · Security · · posted by Zonk · from the hands-on-classes dept. · 74 comments
    An anonymous reader writes "Last weekend at Defcon, the best and brightest hackers got together to play Capture the Flag, a weekend long hacking event that is the premier event of its kind. According to the results, Shellphish won (UC Santa Barbara students led by professor Giovanni Vigna). An article at SecurityFocus states that the competition was far more technical than in previous years, focusing on reverse engineering skills and code auditing." From the article: "The game required skills that are also required by both security researchers and hackers, such as ability to analyze attack vectors, understanding and automating attacks, finding new, unpredictable ways to exploit things...It's about analyzing the security posture of a system that is given to you and about which you initially know nothing."

  9. Security Hackers Interviewed

    Yro · Security · · posted by Zonk · from the learning-from-the-blue-hats dept. · 57 comments
    An anonymous reader writes "SecurityFocus has published an interview with Dan Kaminsky. He was guest-hacker at Microsoft Blue-Hat event. At the same time, Whitedust is running an interview with Richard Thieme from back in April. Richard is best known for his column 'Islands in the Clickstream' which is syndicated in over 60 countries." Thieme also wrote a column or two for Slashdot back in the day. From the Kaminsky interview: "Corporations are not monolithic -- there is no hive mind that can one day change every opinion towards some sort of 'rightthink'. Microsoft has said the right things about security for years, but then, who hasn't? Security requires more than PR, or even proclamations from C-levels."

  10. Inventor of Proxy Firewall Blames Hackers

    It · Security · · posted by CmdrTaco · from the get-your-rage-out dept. · 742 comments
    An anonymous reader writes "SecurityFocus published an interview with Marcus Ranum, the inventor of the proxy firewall. It's an interesting reading, and the end is even better: Truly, the only people who deserve a complete helping of blame are the hackers. Let's not forget that they're the ones doing this to us. They're the ones who are annoying an entire planet. They're the ones who are costing us billions of dollars a year to secure our systems against them. They're the ones who place their desire for fun ahead of everyone on earth's desire for peace and the right to privacy."

  11. Inventor of Proxy Firewall Blames Hackers

    It · Security · · posted by CmdrTaco · from the get-your-rage-out dept. · 742 comments
    An anonymous reader writes "SecurityFocus published an interview with Marcus Ranum, the inventor of the proxy firewall. It's an interesting reading, and the end is even better: Truly, the only people who deserve a complete helping of blame are the hackers. Let's not forget that they're the ones doing this to us. They're the ones who are annoying an entire planet. They're the ones who are costing us billions of dollars a year to secure our systems against them. They're the ones who place their desire for fun ahead of everyone on earth's desire for peace and the right to privacy."

  12. Hunting for Botnet Command and Controls

    Tech · Security · · posted by Zonk · from the owning-the-punkz dept. · 228 comments
    Uky writes "Convinced that the recent upswing in virus and Trojan attacks is directly linked to the creation of botnets for nefarious purposes, a group of high-profile security researchers is fighting back, vigilante-style. The objective of the group, which operates on closed, invite-only mailing lists, is to pinpoint and ultimately disable the C&C (command-and-control) infrastructure that sends instructions to millions of zombie drone machines hijacked by malicious hackers." From the article: "Using data from IP flows passing through routers and reverse-engineering tools to peek under the hood of new Trojans, Thompson said the researchers are able to figure out how the botnet owner sends instructions to the compromised machines."

  13. Device Drivers Filled with Flaws, Pose Risk

    Security · · posted by ryuzaki0 · from the enemy-within dept. · 189 comments
    Gary W. Longsine writes "Security Focus describes device drivers as an untapped source of buffer overflows, posing substantial risk not typically considered as part of a standard risk assessment. The security risks of device drivers on both Windows and Linux, including network (remotely exploitable) and hardware drivers (typically only locally exploitable) are discussed in the article. I've noticed that software you wouldn't expect sometimes installs a device driver component. I can understand this as a component of an antivirus or host based firewall, but it seems to be an oddly common design pattern on Windows, which clearly poses substantial risk."

  14. Witty Worm Kick-Start Methods Revealed

    It · Worms · · posted by CmdrTaco · from the know-your-foe dept. · 150 comments
    voixderaison writes "Security Focus reveals more details about the methods used to seed the Witty worm last year. You might want to read the analysis at CAIDA for background and refresher on this groundbreaking worm, which spread very rapidly through a small population of systems, and then waxed their hard drives. A flaw in its random number generator seems to have protected 10% of the internet from the Witty worm."

  15. Witty Worm Kick-Start Methods Revealed

    It · Worms · · posted by CmdrTaco · from the know-your-foe dept. · 150 comments
    voixderaison writes "Security Focus reveals more details about the methods used to seed the Witty worm last year. You might want to read the analysis at CAIDA for background and refresher on this groundbreaking worm, which spread very rapidly through a small population of systems, and then waxed their hard drives. A flaw in its random number generator seems to have protected 10% of the internet from the Witty worm."

  16. Current Crypto Trends with Bruce Schneier

    It · Security · · posted by Zonk · from the my-password-is-***** dept. · 196 comments
    Saint Aardvark writes "SecurityFocus has published an interview with Bruce Schneier. Fascinating stuff, especially the level-headed assessments of the NSA, spam and the impact of full disclosure: 'Q: Since most crypto protocols on the internet, such as SSL or SSH, uses public-keys to build a secure channel, wouldn't a unexpected public disclosure create a chaos on the internet ? A: No. Chaos is hard to create, even on the Internet. Here's an example. Go to Amazon.com. Buy a book without using SSL. Watch the total lack of chaos.'"

  17. Security for the Paranoid

    It · Security · · posted by timothy · from the middle-firewall-is-spying-on-you dept. · 449 comments
    Stephenmg writes "In Security for the Paranoid, Mark Burnett talks about his computer security methods after other Security profesionals say he is too Paranoid. 'Paranoia is the key to success in the security world. Is it time to worry when other security professionals consider you too paranoid? I require my kids to use at least 14 character passwords on our home network and I'm considering issuing them smart cards.' I don't see anything wrong with his methods."

  18. Enforcing Crytographically Strong Passwords

    It · Security · · posted by Zonk · from the nd3knsdkh238979103dsw dept. · 429 comments
    Saqib Ali writes "The WebAppSec mailing list at SecurityFocus is currently having an interesting discussion on how to force users to use cryptographically strong passwords. The original poster suggested displaying a list of randomly generated password for the user to choose from. Two issues pointed with this concept, were Shoulder surfing and the fact that a bunch of randomly generated passwords are hard to remember. A counter proposal was to use pronounceable but randomly generated password. A full summary of this discussion is available. Any thoughts from slashdotters?"

  19. Enforcing Crytographically Strong Passwords

    It · Security · · posted by Zonk · from the nd3knsdkh238979103dsw dept. · 429 comments
    Saqib Ali writes "The WebAppSec mailing list at SecurityFocus is currently having an interesting discussion on how to force users to use cryptographically strong passwords. The original poster suggested displaying a list of randomly generated password for the user to choose from. Two issues pointed with this concept, were Shoulder surfing and the fact that a bunch of randomly generated passwords are hard to remember. A counter proposal was to use pronounceable but randomly generated password. A full summary of this discussion is available. Any thoughts from slashdotters?"

  20. GIAC/SANS Certification Changes?

    Ask · Security · · posted by Cliff · from the values-in-practicality dept. · 27 comments
    venom600 wonders: "SANS and GIAC have recently changed their certification requirements, no longer requiring a practical assignment be completed in order to be certified. This has created some discussion around the value of their certifications moving forward. In addition, SANS recently asked current certified individuals (in an email) to provide quotes about the value of their certifications for an upcoming brochure. Since the requirements have changed, the value of the certification has changed as well, making any quotes an unfair assessment of value. This brings me to my question: What IT security certifications are left (if any) that actually provide value to you?"

  21. Some Linux Distros Found Vulnerable By Default

    Linux · Security · · posted by Zonk · from the change-the-settings dept. · 541 comments
    TuringTest writes "Security Focus carries an article about a security compromise found on several major distros due to bad default settings in the Linux kernel. 'It's a sad day when an ancient fork bomb attack can still take down most of the latest Linux distributions', says the writer. The attack was performed by spawning lots of processes from a normal user shell. Is interesting to note that Debian was not among the distros that fell to the attack. The writer also praises the OpenBSD policy of Secure by Default."

  22. Some Linux Distros Found Vulnerable By Default

    Linux · Security · · posted by Zonk · from the change-the-settings dept. · 541 comments
    TuringTest writes "Security Focus carries an article about a security compromise found on several major distros due to bad default settings in the Linux kernel. 'It's a sad day when an ancient fork bomb attack can still take down most of the latest Linux distributions', says the writer. The attack was performed by spawning lots of processes from a normal user shell. Is interesting to note that Debian was not among the distros that fell to the attack. The writer also praises the OpenBSD policy of Secure by Default."

  23. Windows 2003 and XP SP2 Vulnerable To LAND Attack

    Tech · Windows · · posted by Hemos · from the one-if-by-sea-two-if-by-LAND dept. · 534 comments
    An anonymous reader writes "Dejan Levaja, a Serbian security engineer has discovered that nearly 8 years after the attack was first made public, WIndows 2003 and Windows XP SP2 are in fact vulnerable to the historic LAND attack." Granted, you need to have the firewall turned off for this work, but there's a whole lotta machines that don't have it turned on.

  24. U.S. Agencies Earn D+ on Computer Security

    It · Security · · posted by CowboyNeal · from the but-it-still-passes dept. · 190 comments
    MirrororriM writes "Seven of the 24 largest agencies received failing grades, including the departments of Energy and Homeland Security. The Homeland Security Department encompasses dozens of agencies and offices previously elsewhere in government but also includes the National Cyber Security Division, responsible for improving the security of the country's computer networks. 'Several agencies continue to receive failing grades, and that's unacceptable,' said Rep. Tom Davis, R-Va., the committee's chairman. 'We're also seeing some exceptional turnarounds.'"

  25. NSA to Become Government Net 'Traffic Cop?'

    Yro · Usa · · posted by CowboyNeal · from the traffic-redirector dept. · 170 comments
    OriginalArlen writes "The NSA may be appointed 'Internet traffic cop', overseeing data sharing among US government agencies for Homeland Security, according to an A.P. report on SecurityFocus. Apparently the aim is to improve security of all government networks." This would seem to follow in the footsteps of creating the Department of Homeland Security, since the aim is to enable better sharing of data between government institutions.

  26. Precedent for Warrantless Net Monitoring Set

    Yro · Court · · posted by samzenpus · from the only-bad-people-need-privacy dept. · 421 comments
    highcon writes "According to this editorial from SecurityFocus, a recent case of a drug dog which pushed the limits of "reasonable search" may have implications for Internet communications in the U.S. This Supreme Court case establishes a precendent whereby "intelligent" packet filters may be deployed which, while scanning the contents of network traffic indiscriminently, only "bark" at communication indicative of illegal activity."

  27. phpBB Forum Down After Defacement

    Developers · Security · · posted by Zonk · 49 comments
    kv9 writes "The phpBB forum has been closed down after the host was cracked into, apparently because of an AWStats hole. Several blogs have been attacked using the same method. Commentary on Netcraft, The Reg and SecurityFocus"

  28. U.S. Plans to Tighten Nuclear Power Plant Security

    It · Security · · posted by samzenpus · from the don't-come-in-here dept. · 248 comments
    CDMA_Demo writes "The 103 nuclear reactors running in USA can voluntarily agree to follow a new 15 page update to a 1996 regulatory guide. The update notes possibility of "unauthorized, undesirable, and unsafe intrusions", and recommends measures aginst such activities. It also recommends such facilities to be cut off from external networks: "Remote access...[that may pose a potential security risk]...should not be implemented". The Slammer worm in 2001 managed to bring down the network at Ohio's David-Besse nuclear plant and concerns kept growing at the United Nations' International Atomic Energy Agency (IAEA)."

  29. U.S. Plans to Tighten Nuclear Power Plant Security

    It · Security · · posted by samzenpus · from the don't-come-in-here dept. · 248 comments
    CDMA_Demo writes "The 103 nuclear reactors running in USA can voluntarily agree to follow a new 15 page update to a 1996 regulatory guide. The update notes possibility of "unauthorized, undesirable, and unsafe intrusions", and recommends measures aginst such activities. It also recommends such facilities to be cut off from external networks: "Remote access...[that may pose a potential security risk]...should not be implemented". The Slammer worm in 2001 managed to bring down the network at Ohio's David-Besse nuclear plant and concerns kept growing at the United Nations' International Atomic Energy Agency (IAEA)."

  30. NCSoft to Roll Out Hackable Anti-Hack Software

    Games · Rpg · · posted by Zonk · from the problems-in-adena-land dept. · 22 comments
    Greyzone writes "NCSoft is preparing to use a security product to protect the Lineage II game process from user hacks while running on a user PC. Unfortunately, this product has serious flaws of its own. Securityfocus.com explains the serious flaws and the possible hacks that can be used against user PCs that have installed this software." From the article "It is true that even with this vulnerability the user must still be tricked into running a malicious application that exploits it. However, in South Korea, where the Gameguard service is widely used, net cafes have become part of the social fabric. These machines are ripe fruit for damage."

  31. Carnivore No More

    Yro · Privacy · · posted by CowboyNeal · from the calling-it-quits dept. · 194 comments
    wikinerd writes "FBI has retired the controversial Carnivore software, strongly criticized by privacy advocates for its email capturing abilities. However, it is believed that unspecified commercial surveillance tools are employed now. What does that mean for Internet users' privacy?"

  32. New Attacks on Spam

    It · Spam · · posted by michael · from the war-machine-springs-to-life-opens-up-one-eager-eye dept. · 153 comments
    AttackOfTheDictionaries writes "Project Honey Pot started operating back in November. The Project provides its participants with a script that generates fake webpages with unique honeypot email addresses. The end result is that Project Honey Pot can connect email harvesters' IP addresses with the spam received by those honeypot email addresses. Which is pretty nifty, but left some people asking how that would help legal attacks on spam. Well, it seems that some lawyer over at SecurityFocus has an answer."

  33. Hacker Penetrates T-Mobile Systems

    Yro · Security · · posted by timothy · from the sounds-like-a-movie-plot dept. · 396 comments
    An anonymous reader writes "SecurityFocus.com reports 'a sophisticated computer hacker had access to servers at wireless giant T-Mobile for at least a year, which he used to monitor U.S. Secret Service e-mail, obtain customers' passwords and Social Security numbers, and download candid photos taken by Sidekick users, including Hollywood celebrities.' Demi Moore and Paris Hilton are involved."

  34. Security Issues in Mozilla

    Tech · Mozilla · · posted by michael · from the better-than-IE dept. · 454 comments
    paulius_g writes "SecurityFocus has released a security warning with three problems that affect Mozilla on all platforms. The first issue allows the source of a download to be spoofed, generating a fake URL. This security issue is really easy to replicate: Create a long URL and the downloading box will only display its ending (Mozilla and Firefox). The second issue was created by the way that Mozilla's browsers handle news:// links to newsgroups, hackers can easily create false links and create a buffer overflow (Mozilla 1.7.5 and below, Firefox versions before 1.0). The third exploit affects machines with multiple users. The way that Firefox and Thunderbird store files allows every user to see them and to probably catch the other user's surfing habits (Firefox and Thunderbird). Let's hope that these will be fixed soon!"

  35. Sims 2 Hacks Spread Like Viruses

    Games · Security · · posted by CmdrTaco · from the we-control-the-horizontal-and-the-vertical dept. · 311 comments
    jowens writes "SecurityFocus reports that players sharing house designs through Electronic Arts' Sims 2 Exchange are finding their game behaving oddly: espresso machines mysteriously satisfy all the Sims needs, Sims are suddenly comfortable with open relationships, and the social worker no longer cares how they treat their children. It turns out hacks were spreading invisibly with Sims 2 lots, infecting thousands of downloadable homes, and catching Electronic Arts by surprise. The hackers, who never intended their hacks to be viruses, have even written their own AV scanner to find and control the outbreak."

  36. RCA / Thomson Modem Hack Discovered

    Hardware · Hardhack · · posted by Hemos · from the the-joy-of-hacking dept. · 182 comments
    An anonymous reader writes "Those un-employed modem hackers are at it again. The group known as TCNiSO has released a very interesting hardware modification for RCA / Thomson cable modems. The modification is done by grounding the bus clock on the serial EEPROM which throws the device into a diagnostic panic mode. Then by using the debug tools from the embedded console to reprogram the EEPROM, a user can permanently enable a developers menu which gives complete control of the modem, such as modifying the hardware addresses or flashing new firmware. Now if only these guys can figure out how to enable the Bluetooth features on my v710 phone..."

  37. Four New Unpatched Windows Vulnerabilities

    It · Security · · posted by CowboyNeal · from the most-wonderful-time-of-the-year dept. · 273 comments
    peeon writes "Right before Christmas, four new Windows NT/2k/XP vulnerabilities were posted to the Bugtraq list. This story discusses two of the vulnerabilities in the LoadImage function (buffer overflow) and Windows Help program (heap overflow), but the Chinese company discovered two more exploits in the parsing of a specially crafted ANI file (causes DoS). A Bugtraq posting has more details."

  38. WEP And PPTP Password Crackers Released

    Hardware · Security · · posted by timothy · from the be-worried dept. · 244 comments
    Jacco de Leeuw writes "SecurityFocus published an article by Michael Ossmann that discusses the new generation of WEP cracking tools for 802.11 wireless networks. These are much faster as they perform passive statistical analysis. In many cases, a WEP key can be determined in minutes or even seconds. For those who have switched to PPTP for securing their wireless nets: Joshua Wright released a new version of his Cisco LEAP cracker called Asleap which can now also recover weak PPTP passwords. Both LEAP and PPTP employ MS-CHAPv2 authentication." Update: 12/22 00:14 GMT by T : Michael Ossmann wrote to point out his last name has two Ns, rather than one.

  39. Nmap Author Receives FBI Subpoenas

    Yro · Privacy · · posted by timothy · from the mens-rea dept. · 390 comments
    spafbnerf writes "Fyodor, author of the open-source network scanning tool Nmap, posted a story to the nmap-hackers list about having received a number of subpoenas from the FBI this year, demanding webserver log data, none of which produced anything, either because they sought old information that had already been deleted from his logs, or because the subpoenas were improperly served. In every case the request was narrowly crafted, usually directed at finding out who visited the site in a very short window of time, such as a five minute period. Fyodor writes: "If they see that an attacker ran the command "wget http://download.insecure.org/nmap/dist/nmap-3.77.t gz" from a compromised host, they assume that she might have obtained that URL by visiting the Nmap download page from her home computer"." Update: 11/25 20:21 GMT by T : Reader kv9 adds a link to Kevin Poulson's story at SecurityFocus.

  40. Federal Judge: Keystroke Logging Isn't Wiretapping

    Yro · Privacy · · posted by timothy · from the not-covered-under-existing-law dept. · 301 comments
    TospenJ writes "A federal judge in Los Angeles has dismissed wiretapping charges against a California man who used a hardware keystroke logger to spy on his employer, SecurityFocus is reporting. The court ruled that the device doesn't violate the federal Wiretap Act because it only intercepted signals off a keyboard cable, not an interstate network. The government is asking for reconsideration. Ironically, the judge relied in part on the Scarfo precedent, which allowed the FBI to use such a keylogger without a wiretap warrant."

  41. Federal Judge: Keystroke Logging Isn't Wiretapping

    Yro · Privacy · · posted by timothy · from the not-covered-under-existing-law dept. · 301 comments
    TospenJ writes "A federal judge in Los Angeles has dismissed wiretapping charges against a California man who used a hardware keystroke logger to spy on his employer, SecurityFocus is reporting. The court ruled that the device doesn't violate the federal Wiretap Act because it only intercepted signals off a keyboard cable, not an interstate network. The government is asking for reconsideration. Ironically, the judge relied in part on the Scarfo precedent, which allowed the FBI to use such a keylogger without a wiretap warrant."

  42. Security Flaws In Linux SMBFS

    It · Security · · posted by timothy · from the or-would-you-rather-wait-for-service-pack-n dept. · 347 comments
    An anonymous reader points out this SecurityFocus alert, which starts "The Linux kernel is reported susceptible to multiple remote vulnerabilities in the SMBFS network file system. These vulnerabilities may lead to the execution of attacker-supplied machine code, information disclosure of kernel memory, or kernel crashes, denying service to legitimate users. Versions of the kernel in both the 2.4, and the 2.6 series are reported susceptible to various issues."

  43. Linux 2.4.28 Kernel Released

    Linux · Announcements · · posted by timothy · from the 2-16-2-32-2-64-2-128 dept. · 47 comments
    An anonymous reader submits "After numerous exploits were released, the Linux kernel team has released 2.4.28. (ChangeLog). Stefan Esser detailed numerous exploits in the 2.x smbfs; other exploits were reported earlier in the week."

  44. Another MS Internet Explorer Security Hole

    Tech · Security · · posted by timothy · from the ever-onward dept. · 18 comments
    chkorn writes "Michal Zalewski detected another security issue in Microsoft's Internet Explorer. With a well formed FRAME or IFRAME tag a Buffer Overflow happens and you can execute bad code on the stack. In his announcement on Bugtraq, he added a proof of concept and explained that all Internet Explorer 6.0 versions are affected, except Windows XP SP2 installations."

  45. Caller ID Spoofing for the Masses

    It · Communications · · posted by michael · from the e.t.-phone-home dept. · 286 comments
    lolly72 writes "SecurityFocus has a story on a new U.S. website offering a caller I.D. falsification service. It's called Camophone. It's being advertised in Google ads that appear with search results for Star38.com, which was the the last service to try and make money off caller I.D. hacking. But unlike Star38.com, Camophone isn't limited to collection agencies and private investigators, and it doesn't cost $125 to sign up. Anyone with a PayPal account can use it, and at five cents a minute, probably will. Who do you want to fake out today?"

  46. Caller ID Spoofing for the Masses

    It · Communications · · posted by michael · from the e.t.-phone-home dept. · 286 comments
    lolly72 writes "SecurityFocus has a story on a new U.S. website offering a caller I.D. falsification service. It's called Camophone. It's being advertised in Google ads that appear with search results for Star38.com, which was the the last service to try and make money off caller I.D. hacking. But unlike Star38.com, Camophone isn't limited to collection agencies and private investigators, and it doesn't cost $125 to sign up. Anyone with a PayPal account can use it, and at five cents a minute, probably will. Who do you want to fake out today?"

  47. PostNuke Open Source CMS Attacked

    It · Security · · posted by michael · from the ruh-roh-shaggy dept. · 300 comments
    ValourX writes "This morning the developers of the free software content management system PostNuke posted a security announcement saying that a vulnerability in the paFileDB download management software allowed an attacker to put up a hacked version of PostNuke for download. That version was live on the PostNuke download site between Sunday at 23:50 GMT and Tuesday at 8:30 GMT. Proprietary software zealots are always saying that open source programs are likely to contain backdoors, but is this situation truly what they mean when they say that? NewsForge (part of OSTG) has the story."

  48. Whopping-Big Data Theft At U.C. Berkeley

    It · Security · · posted by timothy · from the what-pleasant-fellows dept. · 380 comments
    aceta writes "An intruder penetrated a research computer at U.C. Berkeley in August and had access to names, social security numbers and other data for 1.4 million Californians participating in a state social program. CNET calls it the worst intrusion U.C. Berkeley has experienced. SecurityFocus additional details: the hacker used a known vulnerability, and state officials have yanked the university's research access to the data because of the breach. The victims were all receiving or providing at-home care under a state program to help the elderly and disabled. The FBI is investigating."

  49. IE Shines On Broken Code

    Tech · Msie · · posted by timothy · from the crashing-is-unsafe dept. · 900 comments
    mschaef writes "While reading Larry Osterman'a blog (He's a long time Microsoftie, having worked on products dating back to DOS 4.0), I ran across this BugTraq entry on web browser security. Basically, the story is that Michael Zalewski started feeding randomly malformed HTML into Microsoft Internet Explorer, Mozilla, Opera, Lynx, and Links and watching what happened. Bottom line: 'All browsers but Microsoft Internet Explorer kept crashing on a regular basis due to NULL pointer references, memory corruption, buffer overflows, sometimes memory exhaustion; taking several minutes on average to encounter a tag they couldn't parse.' If you want to try this at home, he's also provided the tools he used in the BugTraq entry."

  50. FCC Asks For Comments On Internet Wiretapping

    Yro · Privacy · · posted by timothy · from the or-you-can-just-whisper dept. · 254 comments
    SECURITY GURU writes "Security Focus has posted a story about The Federal Communications Commission (FCC) launching a public comment period on its plan to compel Internet broadband and VoIP providers to open their networks up to easy surveillance by law enforcement agencies. The 1994 Communications Assistance for Law Enforcement Act (CALEA), a federal law that mandates surveillance backdoors in U.S. telephone networks, is what would allow the FBI to start listening in on Internet communications. The EFF, ACLU, and the Electronic Privacy Information Center all opposed the plan, and an ACLU letter-drive generated hundreds of mailings from citizens against what the group called 'the New Ashcroft Internet Snooping Request.' If you have a comment on why you don't want the governemnt reading your email please post it here. All comments are due by November 8th."