Top Stories for Today
[533] No excuses -- encrypt all laptops [355] Asprox computer virus infects key government and consumer websites [295] Microsoft's DNS Fix Leads to More Problems [198] Clever students make hapless admin's job a nightmare [194] Kaminsky on How He Discovered DNS Flaw and More [175] Can obscurity make cryptography better? [135] Steve Jobs teases over new Apple products [135] 'Cold boot' tools surface [131] Malware Spammers Get Sense of Humor [130] Computer tech hands over secret codes to Newsom in jailhouse visit [124] Kerfuffle erupts as DNS flaw described [118] Last HOPE to become Next HOPE [111] Philadelphia TV Anchor Accused Of Hacking Rival's E-mail [109] Are you prepared for targeted attacks? [108] Iranian hackers target Israeli Web site over message by Jewish group [106] Second firm tests Apple's legal resolve with Mac OS X-ready PCs [103] China arrests cyber dissident, rights group says [103] Mind games: Harnessing the power of your thoughts [102] Courts strike down COPA [101] Singaporean lawyer Anamah Tan latest victim of e-mail hoax [95] New service helps callers avoid awkward cell-phone moments [93] Kaspersky Lab's Malaysian Web site hacked [88] To disclose or not to disclose? [86] Kaspersky says hacking attack did no damage [85] MySpace Supports OpenID Universal Sign In [79] Pwnie Awards celebrate best and worst of security View the Top 50 articles
Top 20 of the Last 2 Weeks
|
No excuses -- encrypt all laptops
Posted by l33tdawg on Wednesday, July 23, 2008 - 04:13 AM (Reads: 533)
|
Source: Network World
Every year, more than 5,000 laptops are lost in taxis in London, New York, Chicago and other large cities. According to our research, in 2008 companies' topmost security investment was laptop encryption. Laptop hard drives are getting bigger and now can hold hundreds of thousand to hundreds of millions of sensitive records.
As a CSO, one of your top priorities is probably to keep your company off the front page of the news. Is it inexcusable to have laptops in the field with unencrypted hard drives? With such new open source solutions as TrueCrypt, there are few excuses left: All laptops must be fully encrypted.
Encryption technology is easy, but encryption solutions are hard. Key management and recovery make it difficult to manage large-scale encryption. Even low-cost encryption software for laptops can add up quite quickly if you deploy it on all laptops. Even if you can afford the cost of the software, however, you have to look at the complexity of the whole solutions
[   ]
| |
Can obscurity make cryptography better?
Posted by l33tdawg on Wednesday, July 23, 2008 - 04:12 AM (Reads: 175)
|
Source: Computer World (Australia)
I often disagree when the so-called experts talk about security in terms of binary decisions. Managing security risk is always a cost/benefit trade-off compared to the value of the thing being protected.
I have always been particularly bothered by security proponents who repeat the mantra, "Security by obscurity is no security," when that declaration is demonstrably incorrect. Obscurity does have value, sometimes significant value, especially in the context of the defense-in-depth paradigm. I've written several articles defending obscurity each year, both here and elsewhere. Even though I can present facts and numbers, and readily demonstrate repeatable experiments to back up my conclusions, my critics usually rely solely on emotional arguments. At the very least, they can never show me how obscurity decreases security without coming up with hyperbolic, unlikely scenarios. A friend shared a popular saying with me: "I can show you the facts, but never convince you."
[ ]
| |
Asprox computer virus infects key government and consumer websites
Posted by l33tdawg on Wednesday, July 23, 2008 - 04:11 AM (Reads: 355)
|
Source: Times Online
Cyber-criminals have attacked key government and consumer websites, allowing them to steal the personal details of anyone browsing the sites, The Times has learnt.
Eastern European hackers are suspected of placing the Asprox virus on more than a thousand British websites, including those run by the NHS and a local council, in the past two weeks.
Experts described the Asprox virus as a alarming departure from commonplace viruses which tend to be spread through rogue e-mails and unregulated websites. Unlike other viruses, Asprox sits undetected on mainstream sites, with any visitor at risk of being infected. The virus automatically installs itself on a visitor's computer, allowing a hacker to access financial information.
[ ]
| |
Microsoft's DNS Fix Leads to More Problems
Posted by l33tdawg on Wednesday, July 23, 2008 - 04:10 AM (Reads: 295)
|
Source: ESJ
The blogosphere is awash with talk about the possible overall weakness of the Domain Name System (DNS) architecture. For its part, Microsoft's released a DNS fix in its patch slate for July, but Redmond seems to have problems just getting it to end users. Moreover, some users of the DNS fix have experienced additional difficulties.
So far, since Microsoft's DNS fix was issued on July 10, there have been two separate problems associated with its installation.
The software giant disclosed last week, in a technical posting on its SBS services blog, that some users experienced interruptions in the Exchange Server services component of application stacks sitting on various Windows operating systems.
[ ]
| |
China arrests cyber dissident, rights group says
Posted by l33tdawg on Wednesday, July 23, 2008 - 04:09 AM (Reads: 103)
|
Source: Reuters (UK)
Chinese police have arrested a prominent Internet dissident for violating his probation terms, accusing him of posting articles on overseas websites and receiving guests without permission, a rights group said.
China has been cracking down on dissent in the run-up to next month's Beijing Olympics, fearing any unrest could embarrass the country while the world is watching.
Du Daobin, from the central province of Hebei, was given a suspended sentence for subversion in 2004 having been detained by police in Wuhan for posting online essays in support of fellow dissident, Liu Di. Du was then released into house arrest, Reporters Without Borders said in an emailed statement, but was arrested this week.
[ ]
| |
Courts strike down COPA
Posted by l33tdawg on Wednesday, July 23, 2008 - 04:08 AM (Reads: 102)
| |
Source: vnunet
Ten years after the passing of the Child Online Protection Act (COPA) the law has been ruled unconstitutional by the courts yet again.
The 3rd U.S. Circuit Court of Appeals in Philadelphia today upheld a 2007 decision that the law was overly broad and that parental monitoring software and filtering software was a better way to protect children.
"For years the government has been trying to thwart freedom of speech on the Internet, and for years the courts have been finding the attempts unconstitutional," said Chris Hansen, senior staff attorney with the ACLU First Amendment Working Group. "The government has no more right to censor the Internet than it does books and magazines."
[ ]
| |
Steve Jobs teases over new Apple products
Posted by l33tdawg on Wednesday, July 23, 2008 - 04:07 AM (Reads: 135)
|
Source: Electric Pig
Apple held a financial results conference call last night, and while the figures were some of the best in Apple’s history, we were more interested in Steve Jobs’ teasing over brand new products.
“We’re proud to report the best June quarter for both revenue and earnings in Apple’s history,” Jobs said, before dropping the bomb: “We set a new record for Mac sales, we think we have a real winner with our new iPhone 3G, and we’re busy finishing several more wonderful new products to launch in the coming months.”
Jobs’ distinction between current Macs, the iPhone and the company’s “new products” suggests Apple’s got something entirely new to treat us with. But what?
[ ]
| |
Computer tech hands over secret codes to Newsom in jailhouse visit
Posted by l33tdawg on Wednesday, July 23, 2008 - 04:06 AM (Reads: 130)
|
Source: SF Gate
The San Francisco computer engineer accused of withholding access codes to the city's network surrendered the password during an unusual jailhouse visit by Mayor Gavin Newsom, authorities said Tuesday.
Newsom came away with the access codes Monday night after talking with Terry Childs, 43, of Pittsburg, who has been held since July 13 on four felony counts stemming from what prosecutors describe as an effort to block administrative access to the network that handles 60 percent of the city's information, including sensitive law enforcement, payroll and jail booking records.
Childs had given officials what turned out to be bogus passwords and then had refused to give the correct ones, even when threatened with arrest, authorities say. But Monday, Childs' defense attorney Erin Crane contacted the mayor's office, setting in motion the secret visit.
[ ]
| |
Last HOPE to become Next HOPE
Posted by l33tdawg on Wednesday, July 23, 2008 - 03:35 AM (Reads: 118)
| |
Source: CNet News
In case you were worried, HOPE is not dead.
Just as hackers experiment with technology, push boundaries, and subvert the concepts of what it means to be safe and secure, the organizers of the HOPE (Hackers on Planet Earth) conference have had some fun of their own.
Despite calling the event this weekend "Last HOPE," it won't be the final one; just the most recent one, organizer Emmanuel Goldstein told attendees at the closing ceremonies Sunday night. There will be another one in two years. It will be called "Next HOPE," he said.
[ ]
| |
Kerfuffle erupts as DNS flaw described
Posted by l33tdawg on Wednesday, July 23, 2008 - 03:34 AM (Reads: 124)
| |
Source: Security Focus
Well-known security researcher Halvar Flake rediscovered the flaw in the domain-name system announced by a coalition of software makers and infrastructure providers earlier this month, posting a description of the issue on his Web site on Monday.
In his posting, Flake -- the nom de guerre of Thomas Dullien, CEO of security firm Zynamics -- argued that speculating about the flaw helps software security and then proceeded to describe his theory of the issue. Details of the exact flaw have been kept quiet so that companies can patch the Internet's infrastructure, but the original finder of the flaw -- IOActive's director of penetration Dan Kaminsky -- had revealed the issue to a few researchers, but not to Flake.
"I know that Dan asked the public researchers to 'not speculate publicly' about the vulnerability, in order to buy people time," Flake wrote. "This is a commendable goal. I respect Dan's viewpoint, but I disagree that this buys anyone time."
[ ]
| |
Second firm tests Apple's legal resolve with Mac OS X-ready PCs
Posted by l33tdawg on Wednesday, July 23, 2008 - 03:32 AM (Reads: 106)
| |
Source: Apple Insider
Ignoring action just taken against Psystar, a new company known as Open Tech says it's making Mac OS X-compatible PCs, and believes it has found a loophole that prevents legal action from Apple.
Open Tech Inc. is following in the same vein as its now well-known predecessor and is launching two purportedly "open" PCs, the Open Tech Home budget computer and the quad-core Open Tech XT, that are effectively just custom-built Intel systems based on commonly available -- and somewhat outdated -- parts.
Unlike the similarly-designed Psystar Open Computer (initially OpenMac), Open Tech hopes to promise Mac compatibility while avoiding a conflict with Apple's Software License Agreement that forbids selling Mac OS X installed on non-Apple hardware.
[ ]
| |
Clever students make hapless admin's job a nightmare
Posted by l33tdawg on Wednesday, July 23, 2008 - 03:30 AM (Reads: 198)
| |
Source: Info World
A computer admin at the school I attended bought a new proxy server to stop our file sharing. It was supposed to block "bad" Web sites in addition to filtering out some of the ports that P2P programs use. Trouble was, all we had to do was use a service such as Proxify to get around it.
The whole student Internet service was set up poorly. It was on the same connection as the school’s computers in the labs, so anytime students started to browse heavily in the dorms or on the campus wireless, all the computers suffered massive slowdown in bandwidth.
The admin was supposed to tell everyone to change their TCP/IP settings so they'd input the IP Address of the proxy server. He left everyone in the dark about this, though, relying on word of mouth to get the job done. (This is the same guy who freaked out when he saw us running Linux on our laptops -- he claimed Linux was only for hackers. He urged us to stay away from it and just run Windows XP.)
[ ]
| |
Iranian hackers target Israeli Web site over message by Jewish group
Posted by l33tdawg on Wednesday, July 23, 2008 - 03:29 AM (Reads: 108)
| |
Source: Haaretz.com
The Webmaster of Jerusalem Online says Iranian hackers have been trying to damage his site, which offers English-language news from Israel and the Jewish Diaspora.
The story began four days ago, when the Web site posted a video of Malcom Hoenlein, the executive vice chairman of the Conference of Presidents of Major American Jewish Organizations. Hoenlein called on the citizens of Iran to oppose their government, saying it does not represent them or care about their welfare, but is using them only to obtain its own extreme goals.
Since the video appeared, Webmaster Ehud Rozen says, there have been numerous attempts to hack the site. Several hackers managed to get the Web site listed as "dangerous" on Google's search engine. The site investigated, and found that Iranian hackers probably were behind the attacks, Rozen said in a press announcement. "They didn't manage to harm Hoenlein's message, but they did succeed in erasing pictures and damaging links to the site," he wrote.
[ ]
| |
Singaporean lawyer Anamah Tan latest victim of e-mail hoax
Posted by l33tdawg on Wednesday, July 23, 2008 - 03:26 AM (Reads: 101)
| |
Source: Asia One
WOMEN'S rights advocate Anamah Tan is the latest victim of an e-mail hoax that has hit at least three others in Singapore.
The e-mail, sent to friends and business associates from her Yahoo account, claims that Dr Tan was robbed in London and appeals for money to help her return home. The author claimed the message was written in a hurry and said Dr Tan, a lawyer, was in London 'for an urgent situation'.
'Unfortunately for me, all my money was stolen at the hotel where I lodged,' it read. 'Please can you send me £1,500 today so I can return home. As soon as I get home I would refund it immediately. Write me so I can let you know how to send the money.'
[ ]
| |
Kaminsky on How He Discovered DNS Flaw and More
Posted by l33tdawg on Wednesday, July 23, 2008 - 03:25 AM (Reads: 194)
| |
Source: Wired (Blog)
Dan Kaminsky is understandably swamped today, given the unexpected early release of information about the critical DNS flaw he discovered that potentially affects the security of every web site on the internet.
But he found some time to speak with Threat Level about how he discovered the vulnerability that has system administrators scrambling to patch before an exploit -- which is expected to go public by the end of today -- is widely available.
Kaminsky discovered the bug by chance about six months ago, which he promptly disclosed to people in the DNS community. At the end of March, an emergency summit was convened at Microsoft's headquarters, gathering sixteen people from around the world to discuss how to address the problem.
[ ]
| |
'Cold boot' tools surface
Posted by l33tdawg on Wednesday, July 23, 2008 - 03:25 AM (Reads: 135)
| |
Source: vnunet
A set of tools for performing 'cold boot' data recoveries has been posted.
The tools could allow a user to recover disk encryption keys from a recently powered-down computer, according to the researchers who developed them. The source code for the tools was released earlier this week at the Hackers On Planet Earth (HOPE) conference.
The tools follow a study earlier this year by a group of researchers at Princeton University. The study concluded that, given the right tools, it could be possible to recover disk encryption information from a recently shut-down machine. Because memory chips retain data for a short time after being powered down, an attacker could set the machine into a 'cold boot' and obtain the contents of the memory chips before the machine fully starts up.
[ ]
| |
Mind games: Harnessing the power of your thoughts
Posted by l33tdawg on Wednesday, July 23, 2008 - 03:23 AM (Reads: 103)
|
Source: The Independent (UK)
The year is 1983 and, in a Tokyo suburb, man (well, one man) is evolving a new use for his opposable thumbs. His tool: a strange lump of plastic attached, via cables and a bigger lump of plastic, to his television. Twenty-five years later, the ungainly set-up, known as the Nintendo Entertainment System, is a relic collecting dust in the gaming graveyard alongside the wood-panelled Atari 2600. But its legacy lives on.
Today's consoles use remotes that have barely changed in principle since Nintendo launched its landmark "D-pad" controller. But change is afoot which is liberating our weary thumbs; within the past two years, we have learnt to wave our hands, dance and poke at screens and, soon, we will need only one muscle to control the action – the brain.
Last week, Satoru Iwata, the president and chief executive of Nintendo, added weight to the chatter sweeping technology conventions and gaming forums – the new frontier in computer control is in the mind. "As soon as we think something in our brain, it will appear within a video game," he told reporters at the games industry's annual E3 conference in Los Angeles.
[ ]
| |
Are you prepared for targeted attacks?
Posted by l33tdawg on Wednesday, July 23, 2008 - 03:22 AM (Reads: 109)
| |
Source: Network World
In the olden days us security folks used to point to two kinds of attacks, targeted and random. Because targeted attacks were deemed to be the subject of Clancy and leCarre novels we quickly focused on so-called random attacks, ie. viruses and worms. Unfortunately the threatscape has evolved while the technologies we deploy have not. This can lead to problems.
There is still some security in obscurity. If you are a lawn care or construction company without a website you are pretty safe from targeting other than from your employees, who, come to think of it are a big concern as well. Let me put it this way - there is a spectrum of risk. Everyone has to deal with targeting from employees, contractors, customers, and competitors. On one end of that spectrum is the local Italian eatery. On the other end is…oh, let’s see… the British Government.
[ ]
| |
Malware Spammers Get Sense of Humor
Posted by l33tdawg on Wednesday, July 23, 2008 - 03:22 AM (Reads: 131)
| |
Source: Wired (Blog)
Threat Level was intrigued the other day to get an e-mail with the subject line, "God Destroys Boise for Not Being Gay Enough."
Intrigued enough to open it. The body of the e-mail made an odd reference to Barack Obama being an anorexic, over-exerciser and had a link to a file called viewmovie.html on a U.K. domain owned by Virgin Media. That seemed sketchy, especially since I had no idea who the e-mail was from.
So after a little search engine testing, it turns out the title seems to have been ripped comes from a somewhat obscure parody story written in June about a San Francisco evangelical preacher saying God was punishing Midwesterners with storms.
[ ]
| |
Kaspersky says hacking attack did no damage
Posted by l33tdawg on Wednesday, July 23, 2008 - 03:21 AM (Reads: 86)
| |
Source: IT World
L33tdawg: The defacement might not have resulted in damage in the form of data loss but I'd definitely say it would damage their reputation ever so slightly ;)
The defacement of one of Kaspersky Lab's partner Web sites over the weekend occurred while the site was under construction and offered no data to steal, a senior company official said Tuesday.
A hacker going by the nickname of "m0sted" broke in and left various messages on several pages of a partner site for Malaysia. Screenshots were posted on Zone-H.org, a site that tracks vandalism of other Web sites.
The site actually belongs to one of Kaspersky's partners and was still under development, said David Emm, senior technology consultant. The site had not been formally launched or publicized, he said. "Naturally, we'll be making sure that it's locked down before it goes live and any business is conducted on the site," Emm said.
[ ]
| |
|
HITBSecConf2008 - Malaysia
The following speakers have confirmed their participation in HITBSecConf2008 - Malaysia; the premier network security event in Asia and the Middle East!
Day 1 Keynote Speakers
1.) Jeremiah Grossman (Founder & Chief Technology Officer, White Hat Security.)
2.) Marcus Ranum (Chief Security Officer, Tenable Network Security)
Day 2 Keynote Speakers
3.) Dr. Anton Chuvakin (Chief Research Officer, Log Logic Inc.)
4.) Peter Sunde [brokep] (Founder, The Pirate Bay - TPB) and Fredrik Neij [TiAMO] (Founder, The Pirate Bay - TPB) 
Conference Speakers (alphabetical order)
1. AR (Independent Network Security Researcher, Securebits)
2. Adrian ‘pagvac’ Pastor (ProCheckUp Ltd. / GNUCITIZEN)
3. Akshay Agrawal (Practice Manager, Microsoft Information Security ACE Team)
4. Andrew ‘Q’ Righter (HacDC)
5. Alexander Tereshkin (Principal Researcher, Invisible Things Lab)
6. Charlie Miller (Principal Analyst, Independent Security Evaluators)
7. Ching Tim Meng (Security Consultant, Cable & Wireless)
8. Dino Covotsos (Managing Director, Telspace Systems)
9. Dino Dai Zovi (Security Researcher)
10. Ero Carrera (Reverse Engineering Automation Researcher, zynamics GmbH)
11. Haroon Meer (Technical Director, Sensepost Information Security)
12. Hernan Ochoa (Senior Security Consultant, Core Security Technologies)
13. Ilfak Guilfanov (Founder/CEO of Hex-Rays SA and creator of IDA Pro)
14. Jamie Butler (Coauthor of Rootkits: Subverting the Windows Kernel)
15. Jim Geovedi (Member of HERT & Security Consultant, PT. Bellua Asia Pacific)
16. Julian Ho (Chief Operating Officer, THINKSecure Pte. Ltd.)
17. King Tuna (Independent Network Security Researcher)
18. Kris Kaspersky (Independent Network Security Researcher)
19. Lee Chin Sheng [geek00l] (Independent Network Security Researcher)
20. Matthew Geiger (Forensics Specialist, CERT)
21. Meling Mudin [spoonfork] (Independent Network Security Researcher)
22. Marc Weber Tobias (Investigative Attorney and Security Specialist)
23. Nitesh Dhanjani (Senior Manager, Ernst & Young)
24. Paul Craig (Principal Security Consultant, Security-Assessment.com)
25. Pedram Amini (Manager, Security Research, TippingPoint)
26. Petko D. Petkov [pdp] (GNUCITIZEN)
27. Shreeraj Shah (Director, BlueInfy)
28. Saumil Shah (Founder, Net-Square)
29. Teo Sze Siong (Senior Web Security Researcher, F-Secure Corporation)
30. The Grugq (Independent Network Security Researcher)
There are very limited seats and registrants are encouraged to register early!
REGISTER NOW
Last 15 Postings to HITB Forum
Packet Storm Security Latest
· dns-writeup.txtInteresting write up discussing DNS cache poisoning then and now.
· USN-627-1.txtUbuntu Security Notice 627-1 - Dan Kaminsky discovered weaknesses in the DNS protocol as implemented by Dnsmasq. A remote attacker could exploit this to spoof DNS entries and poison DNS caches. Among other things, this could lead to misdirected email and web traffic.
· DSECRG-08-032.txtClaroline eLearning and eWorking Platform version 1.8.10 suffers from cross site scripting vulnerabilities.
· dsa-1613-1.txtDebian Security Advisory 1613-1 - Multiple vulnerabilities have been identified in libgd2, a library for programmatic graphics creation and manipulation. The Common Vulnerabilities and Exposures project identifies the following three issues:
· MDVSA-2008-151.txtMandriva Linux Security Advisory - A buffer overflow vulnerability in libxslt could be exploited via an XSL style sheet file with a long XLST transformation match condition, which could possibly lead to the execution of arbitrary code. The updated packages have been patched to correct this issue.
· sipwitch-0.2.2.tar.gzGNU SIP Witch is a pure SIP-based office telephone call server that supports generic phone system features like call forwarding, hunt groups and call distribution, call coverage and ring groups, holding, and call transfer, as well as offering SIP specific capabilities such as presence and messaging. It supports secure telephone extensions for making calls over the Internet, and intercept/decrypt-free peer-to-peer audio and video extensions. It is not a SIP proxy, a multi-protocol telephone server, or an IP-PBX, and does not try to emulate Asterisk, FreeSWITCH, or Yate.
· pkd-1.0.tgzipt_pkd is an iptables extension implementing port knock detection. This project provides 3 parts: the kernel module ipt_pkd, the iptables user space module libipt_pkd.so, and a user space client knock program. For the knock packet, it uses a UDP packet sent to a random port that contains a SHA-256 of a timestamp, small header, random bytes, and a shared key. ipt_pkd checks the time window of the packet and does the SHA-256 to verify the packet. The shared key is never sent.
· shopcartdx-sql.txtShopCartDx version 4.30 suffers from a remote SQL injection vulnerability.
Topics
· All topics
· AMD News (Jul 18, 2008)
· Apple News (Jul 23, 2008)
· Articles (Feb 13, 2006)
· Ask Us (Feb 01, 2003)
· Audio/Video (Jul 18, 2008)
· Encryption (Jul 23, 2008)
· Games (Jul 18, 2008)
· Hardware (Jul 15, 2008)
· HITB News (May 18, 2008)
· Industry News (Jul 23, 2008)
· Intel News (Jul 15, 2008)
· Law and Order (Jul 23, 2008)
· Linux (Jul 18, 2008)
· Microsoft (Jul 23, 2008)
· Networking (Jul 12, 2008)
· PDAs (Feb 09, 2007)
· Privacy (Jul 21, 2008)
· Red Hat (May 13, 2008)
· Science (Jul 16, 2008)
· Security (Jul 23, 2008)
· Software & Programming (Jul 21, 2008)
· Spam (Jul 10, 2008)
· Technology (Jul 23, 2008)
· Transmeta (Jul 07, 2007)
· Viruses & Malware (Jul 23, 2008)
· Wireless (Jul 12, 2008)
|
Re: Some free programming tools