Slashdot Mirror

wiredmikey writes "Mozilla yesterday sent an email to registered users of its addons.mozilla.org site, letting them know that it had mistakenly posted a file to a publicly available Web server which contained data from its user database including email addresses, first and last names, and an md5 hash representation of user passwords."

wiredmikey writes "Another good reason to make sure your wireless is secured! 'Barry Vincent Ardolf of Blaine, Minnesota pleaded guilty to hacking into his neighbor's wireless Internet system and posing as the neighbor to make threats to kill the Vice President of the United States. Just two days into his federal trial in St. Paul, Ardolf stopped the trial to plead guilty. According to the US Department of Justice, in his plea agreement, Ardolf, 45 years-old, was indicted on June 23, 2010, admitted that in February of 2009, he hacked into his neighbor's wireless Internet connection and created multiple Yahoo.com email accounts in his neighbor's name." Ardolf's guilty plea included child porn possession, as well as the death threats.

wiredmikey writes "To begin DNSSEC implementation or not: that is the question facing a host of enterprises, notably any that engage in e-commerce or online financial transactions (online retailers, banks, investment firms, hospitality and travel, etc.). These businesses find themselves in a catch 22; there are obvious security benefits to adopting Domain Name System Security Extensions or DNSSEC, but there are some severe downsides to being too early in the adoption curve – downsides that are becoming more and more apparent every day. While DNSSEC is getting rave reviews for successful deployment at the foundation levels of the DNS, problems are lurking just ahead, since very few widely utilized end-user applications are able to actually utilize DNSSEC at all. Simply put, DNSSEC can only work if it is supported throughout the hierarchy from publisher to visitor..."

wiredmikey writes "Google announced today that it will be extending Chrome's sandboxing technology to include the Flash Player plug-in. 'Sandboxing' technology is a method of isolating an application from the rest of the operating system and tightly controlling its resources. According to Google, the new sandboxing feature adds an additional layer of protection and will help protect users against malicious pages that attempt to hijack systems or steal information from the system."

wiredmikey writes "A hardcoded password-related security vulnerability has been discovered which apparently affects every HP MSA2000 G3, a modular large scale storage array. According to the alert, a hidden user exists that doesn't show up in the user manager, and the password cannot be changed, creating a perfect 'backdoor' opportunity for an attacker to gain access to potentially sensitive information stored on the device, as well as systems it is connected to."

wiredmikey sends news that as of today VeriSign has enabled DNSSEC on the .net zone. This is one milestone in a years-long process of securing the DNS against cache poisoning and other attacks. Next step will be for VeriSign to sign the .com root early next year."Having DNSSEC enabled for .net domains... [is] important as it represents one of the most critical implementations of DNSSEC technology, since .net serves as the underpinning for many critical Internet functions. The largest zone to be DNSSEC enabled to date, .net currently has more than 13 million... domain name registrations worldwide."

wiredmikey sends news that as of today VeriSign has enabled DNSSEC on the .net zone. This is one milestone in a years-long process of securing the DNS against cache poisoning and other attacks. Next step will be for VeriSign to sign the .com root early next year."Having DNSSEC enabled for .net domains... [is] important as it represents one of the most critical implementations of DNSSEC technology, since .net serves as the underpinning for many critical Internet functions. The largest zone to be DNSSEC enabled to date, .net currently has more than 13 million... domain name registrations worldwide."

wiredmikey writes "Amazon Web Services (AWS) today announced a highly available and scalable Domain Name System service designed to give developers and businesses a reliable and cost effective way to route end users to Internet applications. The service, 'Route 53,' effectively connects user requests to infrastructure running in AWS — such as an Amazon Elastic Compute Cloud instance, an Amazon Elastic Load Balancer, or an Amazon Simple Storage Service bucket — and can also be used to route users to infrastructure outside of AWS."

wiredmikey writes "The Internet's leading architects have considered the rapid growth and fragmentation of core routing tables one of the most significant threats to the long-term stability and scalability of the Internet. In April 2010, about 15% of the world's Internet traffic was hijacked by a set of servers owned by China Telecom. In the technical world, this is typically called a prefix hijack, and it happened due to a couple of wrong tweaks made at China Telecom. Whether this was intentional or not is unknown, but such routing accidents are all too common online. While BGP is the de-facto protocol for inter-domain routing on the Internet, actual routing occurs without checking whether the originator of the route is authorized to do so. The global routing system itself is made up of autonomous systems (AS) which are simply loosely interconnected routing domains. Each autonomous system decides, unilaterally, and even arbitrarily, to trust everything it hears from any other AS, to use that information without validation, and to further transmit that information to its other peers..."

wiredmikey writes "WikiLeaks has reported that its Web site is currently under a mass distributed denial of service attack. The attack comes around the time of an expected release of classified State Department documents, which the Obama administration says will put 'countless' lives at risk, threaten global counterterrorism operations and jeopardize US relations with its allies."

wiredmikey writes "Anonymizer has released a beta version of Nevercookie, the recently announced Firefox plugin designed to protect against the Evercookie, a JavaScript API built and made available to prove that the more you store and the more places you store it, the harder it is for users to control a Web site's ability to uniquely identify their computer. Evercookie is a more persistent form of cookie that enables the storage of cookie data in a number of different locations, such as Flash cookies and various locations of HTML5 storage. This allows websites to track user behavior even when users have enabled private browsing. Because an Evercookie stores data in locations outside of where standard cookies are stored, an Evercookie can rebuild itself unless users go through a number of steps to completely clear and reset their local storage."

wiredmikey writes "According to a report released today, IT security professionals will see a rise in State-sponsored attacks, like the Stuxnet worm, that will build on concepts and techniques from the commercial hacker industry to create more powerful 'Advanced Persistent Threats.' The researchers also expect an increase in compromised mobile devices leading to data theft or loss as a result of lagging security measures, and that next year will bring the first major data breaches as a result of compromised devices. The biggest potential impact will be caused by the proliferation of sophisticated mobile devices interacting with corporate networks."

wiredmikey writes "Anonymizer, Inc. has developed Anonymizer Nevercookie, a free Firefox plugin that protects against the Evercookie, a javascript API built and made available by Samy Kamkar (same guy who brought you the Samy Worm and XSS Hacking to Determine Physical Location) who set out to prove that the more you store and the more places you store it, the harder it is for users to control a Web site's ability to uniquely identify their computer. The plugin extends Firefox's private browsing mode by preventing Evercookies from identifying and tracking users."

wiredmikey writes "A former University of Akron student was sentenced Friday to 30 months in prison, followed by 3 years of supervised release for conducting denial of service attacks on the sites of several prominent conservative figures as well as infecting several systems with botnet software. Mitchell L. Frost, age 23, of Bellevue, Ohio admitted that between August 2006 and March 2007, he initiated denial of service attacks on web servers hosting the sites of political commentators, including Bill O'Reilly, Rudy Giuliani, Ann Coulter, and others."

wiredmikey writes "Oracle announced this morning that it would pay $1.0 Billion in cash to acquire ATG, a provider of high-end e-commerce software."

wiredmikey writes "Launched by the CIA in 1999, In-Q-Tel's mission is to identify and partner with companies developing cutting-edge technologies that serve the national security interests of the United States. In-Q-Tel has invested an undisclosed sum in Silver Tail Systems, an emerging online fraud prevention and analytics company, an investment they say enables them to offer powerful technology companies in the US intelligence community and further protect the nation's assets."

wiredmikey writes "According to a report released today, .COM is the riskiest top-level domain, the riskiest country domain is Vietnam (.VN). Japan's .JP ranks as the safest country domain for the second year in a row and TRAVEL as the safest overall domain. It's interesting to note that .JP (currently $89.99 at GoDaddy) and .TRAVEL ($89.99 at Moniker) domains are also some of the most expensive domains. Are cybercriminals getting cheap with other people's credit cards? Or do the higher price make it more risky?"

wiredmikey writes "Botnets controlled by criminal enterprises all over the world continue to multiply at a steep rate, and it is now arguably the smaller, harder-to-trace operations that organizations should be the most worried about. Not only are smaller botnets cheaper and easier to build out and operate, but criminals have already realized that large-scale botnet activity attracts unwanted attention, and not just of law enforcement."

wiredmikey writes "The industrialized hackers are intent on one goal — making money. They also know the basic rules of the business of increasing revenues while cutting costs. As hackers started making money, the field became full of 'professionals' that inspired organized cyber crime. Similar to industrial corporations, hackers have developed their own business models in order to operate as a profitable organization. What do these business models look like? Data has become the hacker's currency. More data, more money. So the attack logic is simple: the more attacks, the more likely victim — so you automate ..."

wiredmikey writes with a story from Security Week that describes a security silver lining to the inevitable errors that arise in NAND flash chips. By seeking out (or intentionally causing) defects in a given part of the chip, a unique profile can be created for any device using NAND flash which the author says may be obscured, but not reproduced: "[W]e recognize devices (or rather: their flash memory) by their defects. Very much like humans recognize faces: by their defects (or deviations from the 'norm') a bigger nose, a bit too bushy eyebrows, bigger cheeks. The nice twist is that if an attacker manages to read your device identity, he cannot inscribe it into his own device. Yes, he can create errors — like we did. But he cannot control where in the block they occur as this relies solely on microscopic manufacturing defects in the silicon."

wiredmikey writes "IT security professionals in the United States can expect starting salaries to increase in 2011, according to a new salary report released today. The guide suggests larger increases in base compensation expected in high-demand segments including information security related positions. According to the report, companies are hiring security professionals to help foil fraud, prevent network breaches and comply with new regulations, to keep confidential information safe and secure."

wiredmikey writes "Another study was released to today that once again shows how careless people really are online. When it comes to safeguarding personal information online, many people don't seem to care very much, or don't think enough about it. In the survey of more than 2,500 people, some interesting and scary trends were revealed in how users handle their online passwords..."

wiredmikey writes "Cybercriminals are changing up their weapons, trying to diversify their attack tools using a platform that is less well known and therefore harder to detect and block. With so much focus on the ZeuS Trojan, recent attacks utilized a variant of 'Bugat,' another Trojan horse that steals information from a compromised computer and sends it to a remote host. Bugat was first discovered in January of this year but, like ZeuS, has seen some different variants. In last week's attack, LinkedIn users received emails alerting them of a 'Contact Request,' and encouraging them to click through to a malicious URL where a java applet fetched and installed the Bugat executable."

techinsider sends this quote from Security Week: "A group of media and marketing trade associations, with support from the Council of Better Business Bureaus, today announced the details of a self-regulatory program designed to give consumers enhanced control over the collection and use of data regarding their Web viewing for online behavioral advertising purposes. The program promotes the use of the 'Advertising Option Icon' and accompanying language, to be displayed within or near online advertisements or on Web pages where data is collected and used for behavioral advertising. The Advertising Option Icon indicates a company's use of online behavioral advertising and adherence to the Principles guiding the program. Similar to a Web site’s privacy policy, consumers will be able to link to a clear disclosure statement regarding the company's online behavioral advertising data collection and use practices as well as an easy-to-use opt-out option."

techinsider writes "The U.S. Cyber Command won't be fully operational by Friday's October 1st deadline. A major challenge appears to be staffing the command with qualified personnel, of which it will need over 1,000 skilled employees. General Alexander told Congress his leadership staff was in place but acknowledged there were challenges in bringing in people to the rest of the organization."

wiredmikey writes "On Monday morning, cybercriminals began sending massive volumes of spam email messages targeting LinkedIn users. Starting at approximately 10am GMT, users of the popular business-focused social networking site began receiving emails with a fake contact request containing a malicious link. According to Cisco Security Intelligence, these messages accounted for as much as 24% of all spam sent within a 15-minute interval today. If users click, they are taken to a web page that says 'PLEASE WAITING.... 4 SECONDS..' and then redirected to Google, appearing as if nothing has happened. During those four seconds, the site attempted to infect the victim's PC with the ZeuS Malware via a 'drive-by download' – something that requires little or no user interaction to infect a system."

wiredmikey writes "According to a recent study Facebook is by far the most popular and most dangerous social media tool among small-to-medium-sized businesses, with 69 percent of respondents reporting that they have active accounts with this site, followed by Twitter, YouTube, and LinkedIn. Facebook is also the top culprit for malware infections and privacy violations, e.g. the leaking of sensitive company information. YouTube took the second spot for malware infection, while Twitter contributed to a significant number of privacy violations. For companies suffering financial losses from employee privacy violations, Facebook was again cited as the most common social media site where these losses occurred, followed by Twitter, YouTube, and LinkedIn."

wiredmikey writes "In a recent investigation, it was discovered that cybercriminals are creating 57,000 new 'fake' websites each week looking to imitate and exploit approximately 375 high-profile brands. eBay and Western Union were the most targeted brands, making up 44 percent of exploited brands discovered. Visa, Amazon, Bank of America and PayPal also heavily targeted by cybercriminals. Banks comprise the majority of fake websites by far with 65 percent of the total. Online stores and auction sites came in at 27 percent, with eBay taking the spot as the No. 1 most targeted brand on the Web today."

wiredmikey writes "Undersecretary of Defense William J. Lynn is being challenged by IT security experts who find it hard to believe that the incident which led to the Pentagon's recognizing cyberspace as a new 'domain of warfare' could have really happened as described. In his essay, 'Defending a New Domain,' Lynn recounts a widely-reported 2008 hack that was initiated when, according to Lynn, an infected flash drive was inserted into a military laptop by 'a foreign intelligence agency.' Critics such as IT security firm Sophos' Chief Security Adviser Chester Wisniewski argue that this James Bond-like scenario doesn't stand up to scrutiny. The primary issue is that the malware involved, known as agent.btz, is neither sophisticated nor particularly dangerous. A variant of the SillyFDC worm, agent.btz can be easily defeated by disabling the Windows 'autorun' feature (which automatically starts a program on a drive upon insertion) or by simply banning thumb drives. In 2007, Silly FDC was rated as Risk Level 1: Very Low, by security firm Symantec."

wiredmikey writes "Think you can bust out some silly fresh rhymes on the subjects of hacking, identity theft and computer viruses? In a somewhat untraditional partnership, Snoop Dogg and Symantec's Norton want you to show off your their lyrical skills on the subject of cybercrime and enter the 'Hack is Wack' cybercrime rap contest. If you have the skills and bust out the phattest rap, you'll receive round trip airfare for two to Los Angeles along with two days and two nights' hotel stay to meet with Snoop's management, learn more about his business. You'll also get two tickets to a Snoop Dogg concert and a new laptop pimped out with Norton Internet Security 2011."

wiredmikey writes "Over 250,000 user names, email addresses, and passwords used for social networking sites can easily be found online. A study of the data collected showed that 75 percent of social networking username and password samples collected online were identical to those used for email accounts. The password data was gathered from blogs, torrents, online collaboration services and other sources. It was found that 43 percent of the data was leaked from online collaboration tools while 21 percent of data was leaked from blog postings. Meanwhile, torrents and users of other social hubs were responsible for leaking 10 percent and 18 percent of user data respectively...."

wiredmikey sends along a brief (and quite poorly written) report from Security Week on Samy Kamkar's talk at Black Hat last week. In the video, which is amusing, he demonstrates how to obtain location information (within 30 feet, in the example he shows) of a user who does no more than visit a malicious website. The technique involves sniffing out the local router, breaking into it to obtain its MAC address, and sending that to Google to extract the router's location from Google's Street View database.

wiredmikey writes "A new password cracking tool released today instantly reveals cached passwords to websites in Microsoft Internet Explorer, and mailbox and identity passwords in all versions of Microsoft Outlook Express, Outlook, Windows Mail, and Windows Live Mail."