Nabble - Info Security News (ISN)

TSA Leaks Sensitive Airport Screening Manual

2009-12-08T00:10:04Z

http://www.wired.com/threatlevel/2009/12/tsa-leak

By Kim Zetter
Threat Level
Wired.com
December 7, 2009

Who needs anonymous sources when the government is perfectly capable of
leaking its own secrets?

Government workers preparing the release of a Transportation Security
Administration manual that details airport screening procedures badly
bungled their redaction of the .pdf file. Result: The full text of a
document considered "sensitive security information" was inadvertently
leaked.

Anyone who's interested can read about which passengers are more likely
to be targeted for secondary screening, who is exempt from screening,
TSA procedures for screening foreign dignitaries and CIA-escorted
passengers, and extensive instructions for calibrating Siemens
walk-through metal detectors.

The 93-page document also includes sample images of DHS, CIA (see above)
and congressional identification cards, with instructions on what to
look for to verify an authentic pass.

The manual, titled Screening Management Standard Operating Procedure, is
dated May 28, 2008. It contains this warning: "NO PART OF THIS RECORD
MAY BE DISCLOSED TO PERSONS WITHOUT A 'NEED TO KNOW.'"

Notwithstanding that disclaimer, the document appeared on FedBizOpps, a
government clearinghouse that lists federal contracting opportunities
for vendors. It has since been removed from the site, but not before
someone grabbed it and submitted it to the whistleblower site Cryptome,
where the formerly-redacted portions are highlighted in red boxes. The
discovery was first made by a blogger at Wandering Aramean.

[...]

________________________________________
Did a friend send you this? From now on, be the
first to find out! Subscribe to InfoSec News
http://www.infosecnews.org

Is Ankit Fadia selling Viagra?

2009-12-08T00:09:53Z

http://www.mid-day.com/news/2009/dec/081209-ankit-fadia-hacker-hacked.htm

By Shashank Shekhar
MiD DAY
2009-12-08

Maybe not. But someone has hacked into India's most famous geek's
website and linked it to another one promoting Viagra

It's a case of a protector turning a victim.

The cyber world is buzzing with the news that India's renowned cyber
security guru Ankit Fadia's business website been hacked by spammers,
who have linked it to a site promoting Viagra.

Though Fadia's website, http://www.hackingmobilephones.com/, doesn't
have a visible connection with any outside portal, it has an invisible
link to a website named http://www.uindy.edu/ and some other similar
ones. These are related to advertising and promoting Viagra online. The
hacker has not being detected yet.

When contacted, Fadia said he was aware of the problem but claimed it
had happened because of a fault in the server that hosts his site.

"I don't own the server net4india that hosts my website. The server
hosts various other sites too. The problem lies in the server and all
the sites hosted by it have been infected. But my site is safe to use,"
said Fadia to MiD DAY.

However, cyber crime experts contest Fadia's claims. They say his site
has a coding problem which is indirectly promoting a page selling
Viagra.

Sunny Vaghela, a cyber crime expert from Gujarat, said, "This is a web
application problem and the error lies in the coding of the website not
the server. Seeing the Google cache it's clear that Fadia's site is
under attack. It is really shocking because he claims to secure other
websites."

Another web security analyst from Gurgaon, Himanshu Tiwari, said, "The
problem is not in the server. The website has a loophole. Every visitor
to his website is indirectly promoting the Viagra page. In simple words,
every hit on Fadia's site is being recorded in the other site too,
making it popular. This is not a small problem as it could be used to
send spoof email from the IP address of Fadia's website."

Ankit Fadia's website had been hacked earlier as well and that time too
the geek had blamed the server.

________________________________________
Did a friend send you this? From now on, be the
first to find out! Subscribe to InfoSec News
http://www.infosecnews.org

White House security 'breached 91 times since 1980'

2009-12-08T00:09:40Z

http://www.timesonline.co.uk/tol/news/world/us_and_americas/article6946937.ece

By Giles Whittell in Washington
The Times
December 8, 2009

If the would-be celebrities who crashed a White House state dinner knew
what the Secret Service knew they might not even have bothered to dress
up.

According to a devastating internal review leaked after Tareq and
Michaele Salahi strolled into the banquet for the Indian Prime Minister
without a ticket, there have been at least 91 breaches of Secret Service
security in the past 30 years, including at least four by a serial
intruder who believes that God has made him undetectable to bodyguards.

It turns out that the men who talk into their cuffs are only human. A
family of four once penetrated the White House security cordon simply by
honking on the horn of their minivan. Five years later an intruder
nicknamed the Paper Boy drove through an open White House gate
unchallenged and gave a Secret Service agent a pair of handcuffs before
he was himself arrested.

In 2003 a stowaway flew several thousand miles across Africa aboard Air
Force One without credentials, claiming when apprehended that he had
brought weapons on to the presidential jet, and four times between 1991
and 2003 the Rev Richard "Rich" Weaver shook hands with presidents he
was not cleared to meet. On at least two of those occasions Mr Weaver
managed to give the Commander in Chief a souvenir of his supposedly
divine mission.

[...]

________________________________________
Did a friend send you this? From now on, be the
first to find out! Subscribe to InfoSec News
http://www.infosecnews.org

Product Watch: Voice Encryption Firm Offers $250K In Gold To Hack Its Technology

2009-12-08T00:09:30Z

http://www.darkreading.com/vulnerability_management/security/encryption/showArticle.jhtml?articleID=222000888

By Kelly Jackson Higgins
DarkReading
Dec 07, 2009

An Israeli mobile security firm that a month ago offered $100,000 in
gold to anyone who could hack its voice encryption technology has upped
the ante to $250,000. Gold Lock posted a sample of an encrypted voice
conversation on its Website and is offering the golden reward to any
hackers who can crack it and send the company a transcript of the call.

Gold Lock, which sells military-grade mobile devices and data and voice
encryption tools, says the voice call file has been downloaded more than
1,000 times in the Gold Lock Hacker Challenge contest. But that's
nowhere near the number the vendor had expected, so it decided to make
the contest more attractive with a bigger bounty.

"Since 2003, we have been telling everyone how our products provide
unbreakable protection for their voice and data transmissions, but talk
is cheap. So now we are putting our claims to the ultimate test by
inviting anyone that thinks they have the skills to take us down," said
Noam Copel, CEO of Gold Lock, in a statement.

Copel says he doesn't expect to have to give away the gold, however. "I
don't think there is a chance at all that I'll be giving away the gold.
No individual, group or intelligence agency has the skills, technology
or time needed to defeat our technology," he said.

[...]

________________________________________
Did a friend send you this? From now on, be the
first to find out! Subscribe to InfoSec News
http://www.infosecnews.org

Security breach compromises information on District 86 grads

2009-12-08T00:09:18Z

http://www.pioneerlocal.com/clarendonhills/news/1925539,clarendon-hills-breach-121009-s1.article

By SANDY ILLIAN BOSCH
pioneerlocal.com
December 7, 2009

Hinsdale High School District 86 no longer uses Social Security numbers
to identify students and it no longer uses University of Nebraska
Lincoln to conduct research, Superintendant Nicholas Wahl said upon
hearing of a computer security breach at that involved the names,
addresses and Social Security numbers of 1,400 Hinsdale District 86
graduates.

Wahl said the University of Nebraska has not been used by the district
to conduct research since before his relationship with the school began
in 2005.

The breach, discovered last month, was revealed to effected former
students via letters mailed out last week by the university.

Greg Wittcoff, a 2004 graduate of Hinsdale South High School, said he
was angered by the breach and concerned that nearly a month passed
before he was informed of it.

The security breach involved a computer in the College of Education and
Human Sciences. The university's investigation revealed the computer had
not been adequately secured, allowing unauthorized external access to
the computer and its information.

[...]

________________________________________
Did a friend send you this? From now on, be the
first to find out! Subscribe to InfoSec News
http://www.infosecnews.org

New cloud-based service steals Wi-Fi passwords

2009-12-08T00:09:07Z

http://www.computerworld.com/s/article/9141921/New_cloud_based_service_steals_Wi_Fi_passwords?taxonomyId=17

By Robert McMillan
IDG News Service
December 7, 2009

For $34, a new cloud-based hacking service can crack a WPA (Wi-Fi
Protected Access) network password in just 20 minutes, its creator says.

Launched today, the WPA Cracker service bills itself as a useful tool
for security auditors and penetration testers who want to know if they
could break into certain types of WPA networks. It works because of a
known vulnerability in Pre-shared Key (PSK) networks, which are used by
some home and small-business users.

To use the service, the tester submits a small "handshake" file that
contains an initial back-and-forth communication between the WPA router
and a PC. Based on that information, WPA Cracker can tell whether the
network seems vulnerable to this type of attack.

The service was launched by a well-known security researcher who goes by
the name of Moxie Marlinspike. In an interview, he said that he got the
idea for WPA Cracker after talking to other security experts about how
to speed up WPA network auditing. "It's kind of a drag if it takes five
days or two weeks to get your results," he said.

[...]

________________________________________
Did a friend send you this? From now on, be the
first to find out! Subscribe to InfoSec News
http://www.infosecnews.org

Can Electronic Medical Records Be Secured?

2009-12-08T00:08:46Z

http://www.informationweek.com/news/healthcare/EMR/showArticle.jhtml?articleID=221601440

By Mitch Wagner
InformationWeek
December 5, 2009

While electronic medical records promise massive opportunities for
patient health benefits and reductions in administrative costs, the
privacy and security risks are equally huge.

The Obama administration has set an ambitious goal--to get electronic
medical records on file for every American by 2014. The administration
is offering powerful incentives: $20 billion in stimulus funds as per
the American Recovery and Reinvestment Act (ARRA) of 2009, and stiff
Medicare penalties for healthcare providers that fail to implement EMRs
after 2014.

EMRs offer tantalizing benefits: Improved efficiency via the elimination
of tons of paper files in doctors' offices, and better medical care
through the use of the same kinds of database and data mining
technologies that are now routine in other industries. One example: EMR
systems can flag symptoms and potentially harmful drug interactions that
busy doctors might otherwise miss.

But the accompanying privacy and security threats are significant. When
completed, the nation's EMR infrastructure will be a massive store of
every American's most personal, private information, and a potential
target of abuse by marketers, identity thieves, and unscrupulous
employers and insurance companies.

Regulators are attempting to craft rules that would unlock the benefits
of EMRs while protecting Americans from the security risks. Healthcare
IT pros will be required to implement systems and business processes
that conform to these regulations, or face lost funding, institutional
fines -- and, in some cases, personal criminal penalties.

The new regulations come as the healthcare industry faces big privacy
problems, going back years. In 2003, a medical transcriptionist in
Pakistan threatened to post patient records from the University of
California San Francisco's Medical Center on the Internet unless she was
paid for her work for a transcription service company hired by the
university.

[...]

________________________________________
Did a friend send you this? From now on, be the
first to find out! Subscribe to InfoSec News
http://www.infosecnews.org

Climategate: was Russian secret service behind email hacking plot?

2009-12-06T23:39:49Z

http://www.telegraph.co.uk/earth/copenhagen-climate-change-confe/6746370/Climategate-was-Russian-secret-service-behind-email-hacking-plot.html

Telegraph.co.uk
06 Dec 2009

Thousands of emails, from the University of East Anglia's Climatic
Research Unit (CRU) were first published on a small server in the city
of Tomsk in Siberia.

So-called 'patriot hackers' from Tomsk have been used in the past by the
Russian secret service, the FSB, to attack websites disliked by the
Kremlin, such as the "denial of service" campaign launched against the
Kavkaz-Tsentr website, over its reports about the war in Chechnya, in
2002.

Russia, a major oil exporter, may be trying to undermine calls to reduce
carbon emissions ahead of the Copenhagen summit on global warming. The
CRU emails included remarks which some claim show scientists had
manipulated the figures to make them fit the theory that humans are
causing global warming.

Achim Steiner, the director of the United Nations Environment Programme,
said the theft of emails from CRU, which is a world-renowned centre for
climate research, had similarities with the Watergate scandal which
brought down US President Richard Nixon.

[...]

________________________________________
Did a friend send you this? From now on, be the
first to find out! Subscribe to InfoSec News
http://www.infosecnews.org

USENIX HealthSec '10 Call for Papers Now Available

2009-12-06T23:39:34Z

Forwarded from: Lionel Garth Jones <lgj (at) usenix.org>

On behalf of the 1st USENIX Workshop on Health Security and Privacy
(HealthSec '10) program committee, we invite you to submit innovative
papers covering all aspects of healthcare information security and
privacy. Please submit all papers by April 9, 2010, 11:59 p.m. PDT (firm
deadline).

HealthSec '10 is intended as a forum for lively discussion of
aggressively innovative and potentially disruptive ideas on all aspects
of medical and health security and privacy. A fundamental goal of the
workshop is to promote cross-disciplinary interactions between fields,
including, but not limited to, technology, medicine, and policy.
Surprising results and thought-provoking ideas will be strongly favored;
complete papers with polished results in well-explored research areas
are comparatively discouraged.

Position papers will be selected for their potential to stimulate or
catalyze further research and explorations of new directions, as well as
for their potential to spark productive discussions at the workshop.

Workshop topics are solicited in all areas relating to healthcare
information security and privacy, including:

* Security and privacy models for healthcare information systems
* Industrial experiences in healthcare information systems
* Deployment of open systems for secure and private use of healthcare
information technology
* Security and privacy threats against and countermeasures for existing
and future medical devices
* Regulatory and policy issues of healthcare information systems
* Privacy of medical records
* Usability issues in healthcare information systems
* Threat models for healthcare information systems

Submissions are due Friday, April 9, 2010, 11:59 p.m. PDT
(firm deadline).

For more details on the submission process, please see the complete Call
for Papers at: http://www.usenix.org/healthsec10/cfpa/

We look forward to receiving your submissions!

Kevin Fu, University of Massachusetts Amherst
Tadayoshi Kohno, University of Washington
Avi Rubin, Johns Hopkins University
USENIX HealthSec '10 Program Chairs
healthsec10chairs (at) usenix.org

---------------------------------
Call for Papers
1st USENIX Workshop on Health Security and Privacy (HealthSec '10)
August 10, 2010
Washington, DC
http://www.usenix.org/healthsec10/cfpa/
Submissions deadline: April 9, 2010, 11:59 p.m. PDT
---------------------------------

________________________________________
Did a friend send you this? From now on, be the
first to find out! Subscribe to InfoSec News
http://www.infosecnews.org

PayPal mistakes own email for phishing attack

2009-12-06T23:38:41Z

http://www.theregister.co.uk/2009/12/04/paypal_phishing_false_alarm/

By John Leyden
The Regiser
4th December 2009

Banks and financial institutions are fond of lecturing customers about
the perils of phishing emails, the bogus messages that attempt to trick
marks into handing over their login credentials to fraudulent sites. Yet
many undo this good work by sending out emails themselves that invite
users to click on a link and log into their account rather than going a
safer route and telling users to use bookmarked versions of their site.

The problems of the former approach are neatly illustrated by a blog
posting by Randy Abrams, a former Microsoft staffer who is now director
of technical education at anti-virus firm Eset. Abrams complained about
the inclusion of a link in an email from PayPal as it looked rather too
much like a phishing email.

PayPal support staffers responded not by noting that Abrams may have a
point, which it would consider, but by treating its own email - which it
acknowledged was "suspicious-looking" - as a phishing attack.

"Not even PayPal support can tell the difference between a legitimate
PayPal email and a phishing attack," Abrams notes.

[...]

________________________________________
Did a friend send you this? From now on, be the
first to find out! Subscribe to InfoSec News
http://www.infosecnews.org

HSBC exposed sensitive bankruptcy data

2009-12-06T23:38:25Z

http://www.computerworld.com/s/article/9141834/HSBC_exposed_sensitive_bankruptcy_data?taxonomyId=17

By Robert McMillan
IDG News Service
December 4, 2009

HSBC Bank says a bug in its imaging software inadvertently exposed
sensitive data about some of its customers going through bankruptcy
proceedings.

In notification letters made public Thursday, the bank said it had
redacted sensitive information in Chapter 13 bankruptcy proof-of-claim
forms that were filed electronically, but that the information turned
out to be viewable "as a result of the deficiency in the software used
to save imaged documents."

An HSBC spokeswoman declined to elaborate on the cause of the problem,
but said "a limited number of customers" were affected. HSBC has "no
reason to believe customers' personal information may have been
compromised," she added via e-mail. The company sent letters to affected
customers in October and is offering them one year of free credit
monitoring.

Some customers of the following HSBC companies are affected: HSBC
Taxpayer Financial Services, Beneficial New Hampshire and Household
Finance Corporation.

[...]

________________________________________
Did a friend send you this? From now on, be the
first to find out! Subscribe to InfoSec News
http://www.infosecnews.org

Certifications are not a panacea for cybersecurity woes

2009-12-04T02:10:08Z

http://fcw.com/articles/2009/12/01/comment-castro-certification.aspx

By Daniel Castro
Commentary
FCW.com
Dec 01, 2009

As Congress debates legislation to improve cybersecurity, one
problematic idea that appears to have gained some traction is developing
a national certification program for cybersecurity professionals.

If certifications were effective, we would have solved the cybersecurity
challenge many years ago. Certainly more workforce training, although
not a panacea, can help teach workers how to respond to known
cyberattacks. However, workforce training is not certification, and
organizations, not Congress, are in the best position to determine the
most appropriate and effective training for their workers.

Organizations know that simply getting their employees certified will
not solve their security challenges. Although a good certification
standard might be a measure of a baseline level of competence, it is not
an indicator of job performance. Having certified employees does not
mean firewalls will be configured securely, computers will have
up-to-date patches, and employees won.t write passwords on the backs of
keyboards. Nor has the increase in the number of certified cybersecurity
workers nationwide resulted in any noticeable decrease in the number of
computer vulnerabilities, security incidents or losses from cyber crime.
Between 2001 and 2005, although the number of Certified Information
Systems Security Professionals in North America quadrupled, the number
of vulnerabilities cataloged by the U.S. Computer Emergency Readiness
Team more than doubled, the dollar loss of claims reported to the
Internet Crime Complaint Center increased more than tenfold, and the
number of complaints the center referred to law enforcement increased
more than twentyfold.

At the federal level, a certification mandate would be little more than
a box-checking activity for agencies, akin to many of the Federal
Information Security Management Act requirements that tax the federal
budget and workforce, but produce few results. Even worse, Congress
might go further and impose costly certification requirements on a broad
range of private network operators and companies in many major
industries. By requiring certification for so many jobs, Congress would
in effect create a .license to practice. for cybersecurity
professionals.

Licenses are typically only required in professions in which the public
is harmed by the absence of licensure. (Perhaps that is an argument to
require licenses for members of Congress.) Therefore, the implicit
assumption in arguing for a certification program for all federal
cybersecurity professionals, those involved in operating critical
infrastructure and potentially many more individuals in the private
sector, is that the public is being harmed because unqualified workers
are filling those jobs -- not because of a lack of talent or
insufficient training but because hiring managers cannot distinguish
between competent and incompetent cybersecurity workers. That is the
only problem that certification (in the form of a de facto license)
could fix. However, no proponent of that approach has provided evidence
to show that the problem exists, nor is the problem commonly cited in
other studies as a factor contributing to cybersecurity risks.

[...]

________________________________________
Did a friend send you this? From now on, be the
first to find out! Subscribe to InfoSec News
http://www.infosecnews.org

Re: Wanted: A Smokey Bear for cybersecurity

2009-12-04T02:09:52Z

Forwarded from: hobbit (at) avian.org (*Hobbit*)

Today's malware risk is ...

LOW MEDIUM HIGH
__________________________/\____
~~~~~~~~~~~~~~~~~~~~~~~~~~||~~~~

.-------.
/_) (_\
|#|SMOKEY|##|
_______|___________|_______
( . /` '\ . )
`-/ (o___o) \-'
| ,'(_)`. |
\ ( ._|_. ) /
\ `.___,' /
`._ _,'
`~~~'

So please, kids, don't play with Javascript!

_H*

________________________________________
Did a friend send you this? From now on, be the
first to find out! Subscribe to InfoSec News
http://www.infosecnews.org

Engineers who hacked into L.A. traffic signal computer, jamming streets, sentenced

2009-12-04T02:09:39Z

http://latimesblogs.latimes.com/lanow/2009/12/engineers-who-hacked-in-la-traffic-signal-computers-jamming-traffic-sentenced.html

By Shelby Grad
Los Angeles Times
December 1, 2009

Two L.A. traffic engineers who pleaded guilty to hacking into the city's
signal system and slowing traffic at key intersections as part of a
labor protest have been sentenced to two years' probation.

Authorities said that Gabriel Murillo, 40, and Kartik Patel, 37, hacked
into the system in 2006 despite the city's efforts to block access
during a labor action.

Fearful that the strikers could wreak havoc, the city temporarily
blocked all engineers from access to the computer that controls traffic
signals.

But authorities said Patel and Murillo found a way in and picked their
targets with care -- intersections they knew would cause significant
backups because they were close to freeways and major destinations.

[...]

________________________________________
Did a friend send you this? From now on, be the
first to find out! Subscribe to InfoSec News
http://www.infosecnews.org

Crooks 'too lazy' for crypto

2009-12-04T02:09:25Z

http://www.theregister.co.uk/2009/12/03/digital_forensics_encryption/

By Chris Williams
The Register
3rd December 2009

The widespread use of encryption by criminals - long feared by
intelligence and law enforcement agencies - has yet to materialise,
according to the man in charge of the country's largest digital
forensics unit.

Mark Stokes, head of the Metropolitan Police's Digital and Electronic
Forensic Services (DEFS), told The Register that "literally a handful"
of the tens of thousands of devices it handles each year from across the
whole of London involve encrypted data.

"We're still to this day not seeing widespread use of encryption," he
said.

Despite the availability of scrambling products such as PGP, TrueCrypt
and Microsoft's BitLocker, criminals are not making life difficult for
forensic investigators to access their files.

"You'd think paedophiles would use it, but they don't. It's just human
nature to think they'll never get caught," said Stokes, an electronics

[...]

________________________________________
Did a friend send you this? From now on, be the
first to find out! Subscribe to InfoSec News
http://www.infosecnews.org

Secunia Weekly Summary - Issue: 2009-49

2009-12-04T02:09:01Z

========================================================================

The Secunia Weekly Advisory Summary
2009-11-26 - 2009-12-03

This week: 43 advisories

========================================================================
Table of Contents:

1.....................................................Word From Secunia
2....................................................This Week In Brief
3...............................This Weeks Top Ten Most Read Advisories
4..................................................This Week in Numbers

========================================================================
1) Word From Secunia:

Fortune 500 companies turn to Secunia when a vulnerability poses a
critical threat to their infrastructure, our Customer Support Center
provides our customers the best support on how to eliminate
vulnerability threats to avoid compromising network security.

Do you have a provider you can contact when the threat is already in
your network?

Click here to learn more:
http://secunia.com/advisories/business_solutions/

========================================================================
2) This Week in Brief:

Secunia Research has discovered a vulnerability in Roxio Creator, which
can be exploited by malicious people to potentially compromise a user's
system.

For more information, refer to:
http://secunia.com/advisories/36069/

--

pyrokinesis has discovered a vulnerability in Adobe Illustrator, which
can be exploited by malicious people to compromise a user's system.

For more information, refer to:
http://secunia.com/advisories/37563/

--

Some vulnerabilities have been reported in BlackBerry Enterprise Server
and BlackBerry Professional Software, which can be exploited by
malicious people to cause a DoS (Denial of Service) and potentially
compromise a vulnerable system.

For more information, refer to:
http://secunia.com/advisories/37562/

========================================================================
3) This Weeks Top Ten Most Read Advisories:

For more information on how to receive alerts on these vulnerabilities,
subscribe to the Secunia business solutions:
http://secunia.com/advisories/business_solutions/

1. [SA37448] Internet Explorer Layout Handling Memory Corruption
Vulnerability
2. [SA37318] Microsoft Windows Win32k Kernel-Mode Driver Multiple
Vulnerabilities
3. [SA24314] Internet Explorer Charset Inheritance Cross-Site
Scripting Vulnerability
4. [SA35948] Adobe Flash Player Multiple Vulnerabilities
5. [SA37314] Windows Web Services on Devices API Memory Corruption
Vulnerability
6. [SA37273] Google Chrome Two Vulnerabilities
7. [SA36983] Adobe Reader/Acrobat Multiple Vulnerabilities
8. [SA37313] Apple Mac OS X Security Update Fixes Multiple
Vulnerabilities
9. [SA37277] Microsoft Office Word File Information Block Parsing
Buffer Overflow
10. [SA37309] Microsoft Windows Win32k Kernel-Mode Driver Privilege
Escalation

========================================================================
4) This Week in Numbers

During the past week 43 Secunia Advisories have been released. All
Secunia customers have received immediate notification on the alerts
that affect their business.

This weeks Secunia Advisories had the following spread across platforms
and criticality ratings:

Platforms:
Windows : 5 Secunia Advisories
Unix/Linux : 25 Secunia Advisories
Other : 0 Secunia Advisories
Cross platform : 13 Secunia Advisories

Criticality Ratings:
Extremely Critical : 0 Secunia Advisories
Highly Critical : 7 Secunia Advisories
Moderately Critical : 12 Secunia Advisories
Less Critical : 24 Secunia Advisories
Not Critical : 0 Secunia Advisories

========================================================================

Secunia recommends that you verify all advisories you receive,
by clicking the link.
Secunia NEVER sends attached files with advisories.
Secunia does not advise people to install third party patches, only use
those supplied by the vendor.

Definitions: (Criticality, Where etc.)
http://secunia.com/advisories/about_secunia_advisories/

Subscribe:
http://secunia.com/advisories/weekly_summary/

Contact details:
Web : http://secunia.com/
E-mail : support@...
Tel : +45 70 20 51 44
Fax : +45 70 20 51 45

________________________________________
Did a friend send you this? From now on, be the
first to find out! Subscribe to InfoSec News
http://www.infosecnews.org

Cisco, Juniper vulnerable to hacking

2009-12-04T02:08:47Z

Forwarded from: Simon Taplin <simon.taplin (at) gmail.com>

http://www.itweb.co.za/index.php?option=com_content&view=article&id=28597:cisco-juniper-vulnerable-to-hacking&catid=219:reuters

By Reuters
3 Dec 2009

The US government has identified flaws in equipment from four companies,
including Cisco Systems, that hackers can exploit to break into corporate
computer networks.

The Department of Homeland Security's US Computer Emergency Readiness Team,
US-CERT, said on its Web site that the warning applies to certain networking
products from Cisco, Juniper Networks, SonicWall and SafeNet.

The flaw applies to equipment with technology known as SSL VPN that
companies use to set up secure communications systems for safely accessing
internal computer systems over the Internet.

It affects VPN systems run directly through a Web browser, rather than
through software installed on a user's PC, which is more widely used.

Hackers who exploit the vulnerability could gain broad access to corporate
networks, then steal confidential data, install malicious software or turn
PCs into spam servers.

[...]

________________________________________
Did a friend send you this? From now on, be the
first to find out! Subscribe to InfoSec News
http://www.infosecnews.org

A Call to Cyber Arms

2009-12-04T02:08:33Z

http://www.afcea.org/signal/signalscape/index.php/2009/12/a-call-to-cyber-arms/

By Maryann Lawlor
SIGNAL Scape
The official blog of
AFCEA International
and SIGNAL Magazine
12/02/09

Sherri Ramsay, director of the NSA's Central Security Service Threat
Operations Center, opened AFCEA's SOLUTIONS Series today by admitting
that the intersection of cyber, national and economic security has
changed the way her organization interacts with industry. Citing
statistics that cybercrime has cost individuals more than $2 billion,
Ramsay called for shared network situational awareness across the U.S.
government, industry and individuals. This holistic approach must
include information about who owns, operates and defends the networks,
she said.

"Cyberspace at the Cross Roads: The Intersection of Cyber, National and
Economic Security," is the third in this year's SOLUTIONS series of
forums and is taking place December 2-3 at the National Conference
Center. The event features presentations by military and government
leaders as well as three tracks of panel sessions that are designed to
prompt discussions among attendees.

Despite the need for a holistic approach to cybersecurity, Ramsay
acknowledged that determining how to do it poses many challenges. She
related that while discussing cyber defense with her counterparts in New
Zealand, she described the change in tactics as the difference between
playing football and playing soccer. While the former involves offensive
and defensive teams taking the field separately, the latter calls on
offensive players to go on the defense as soon as possession of the ball
changes sides. The New Zealanders agreed that a change has taken place
but said that cyber defense today more resembles rugby.

Ramsay called on government, industry and individuals to be more
proactive in their part of cybersecurity. To this end, the NSA now uses
the term "Team Cyber" every day to describe how it is enacting cyber
defenses. Members of the team include the government, industry and
academia to such an extent that the NSA has actually brought antivirus
vendors into the same room with government network defenders to observe
networks under attack. The vendors were then given the information and
signatures they would need to improve the next version of their
products.

[...]

________________________________________
Did a friend send you this? From now on, be the
first to find out! Subscribe to InfoSec News
http://www.infosecnews.org

FBI's Chicago RCFL Receives Prestigious Accreditation

2009-12-04T02:08:19Z

http://www.fbi.gov/pressrel/pressrel09/chicago_rcfl120309.htm

Press Release
For Immediate Release
December 3, 2009

Washington D.C.
FBI National Press Office
(202) 324-3691

FBI's Chicago RCFL Receives Prestigious Accreditation

The American Society of Crime Laboratory Directors/Laboratory
Accreditation Board (ASCLD/LAB) recently accredited the Chicago Regional
Computer Forensics Laboratory (RCFL) in digital and multimedia evidence.
According to ASCLD/LAB, 51 laboratories in the nation are currently
accredited in this discipline. With the Chicago RCFL's accomplishment,
12 out of 14 operational RCFLs have earned accreditation from ASCLD/LAB.
Additionally, the North Texas RCFL recently earned the organization's
international accreditation.

The Chicago RCFL opened in 2003 and is part of the FBI.s RCFL Program, a
national network of 16 digital forensics laboratories and training
centers devoted entirely to the scientific examination of digital
evidence in support of criminal investigations. The Chicago RCFL is
managed by a coalition of federal, state, and local law enforcement
organizations, including the FBI through its Chicago Division and FBI
Headquarters; Chicago Police Department; Cook County Sheriff's Office;
Joliet Police Department; Lombard Police Department; Palatine Police
Department; and the University of Illinois at Chicago Police Department.
RCFL personnel are FBI-certified as computer forensics examiners and
must strictly adhere to standardized operating procedures and
institutionalized peer review measures to provide consistent, accurate,
repeatable, and verifiable results.

The RCFL Program, which is funded and administered by the FBI, supports
the Bureau's criminal investigative and intelligence-gathering efforts
by supplying a wide range of sophisticated technological equipment,
examination tools and capabilities, training, and specialized
experience.

FBI Assistant Director Marcus C. Thomas said: "Earning accreditation
from a respected organization such as ASCLD/LAB demonstrates the
Bureau's commitment to providing exceptional digital forensics services.
With the Chicago RCFL's accomplishment, we have proven -yet again- how
serious we take this work. Increasingly, digital evidence is playing a
pivotal role in criminal investigations, and we are doing our part to
provide high quality services to strengthen our criminal justice
system."

According to ASCLD/LAB's website, accreditation is part of a
laboratory's quality assurance program, which should also include
proficiency testing, continuing education, customer liaison, and other
programs to help the laboratory provide more effective overall service.
The accreditation process is an intensive assessment which evaluates the
qualifications of all laboratory personnel; the laboratory's operational
and technical policies, practices, and procedures; and the laboratory's
quality management system.

For more information about the RCFL Program, visit www.rcfl.gov

*****Sign up for FBI e-mail alerts at www.fbi.gov by clicking on the red envelopes.*****
Follow the FBI on Twitter @ FBIPressOffice

________________________________________
Did a friend send you this? From now on, be the
first to find out! Subscribe to InfoSec News
http://www.infosecnews.org

E2-labs' project Ethan dissected. Anatomy of a franchise proposal based on non-existing partnerships (UPDATED)

2009-12-02T22:47:15Z

http://www.zone-h.org/news/id/4731

[So maybe Peerbhoy wasn't trained by Zone-H from details here...
http://www.zone-h.org/news/id/4716 - More details about Peerbhoy,
http://www.infosecnews.org/hypermail/0903/16060.html - WK]

By Roberto Preatoni
Zone-H.org
22/11/2009

We received a notice that on WikiLeaks somebody uploaded an interesting
document. It's a PDF file, called Project Ethan (after Tom Cruise's
Mission Impossible caracther?) and it refers to E2-labs very recent
plans to open in India an educational and IT security franchise network.
We downloaded the document and we found some very interesting
information in it, regarding E2-labs future plans and how the name of
Zone-H (and a few others) was used to back up the whole plan to convince
possible investors to invest money in Mr. Zaki Qureshey expansion plans.
Needless to say, Zone-H was never informed about such plans and never
gave any consent to be included in it.

The document is a financial investment porposal, made up by 28 pages. It
seems to be written by Grant Thornton, a well-known financial advisor
company. We have no doubt that the document was originally produced by
such company, it's too well structured, E2-labs and Zaki Qureshey
definitely don't posses the business skills to do that. Nevertheless,
the document it's filled by improper statements. We don't think that
Grand Thornton did it on purpose, we just imagine the situation where
they were given some statements and material by Zaki Qureshey and they
granted it for real, without verifying it. And that is bad, after all,
the entire businell proposal carry their name.

The result is a well written document meant to attract possible
investors, backed up by Grant Thornton name, which sounds to the ears of
possible investors as a guarantee that it is referring to a serious
proposal. This is probably the reason why E2-Labs Mr.Zaki Qureshey
decided to invest some money to look for Grant Thornton advocacy. Just
another case to use somebody's name for his plans.

In this article, we are going to show some excerpts from that document,
followed by some of our comments. Why did we decide to make this
document public? Because that document is yet another example of Mr.
Zaki Qureshey unethical business practices and because it's involving
directly my an Zone-H name and because this is the only way we have to
make clear to the general public that we have nothing to do with Mr.
Zaki Qureshey bogus proposals.

[...]

________________________________________
Did a friend send you this? From now on, be the
first to find out! Subscribe to InfoSec News
http://www.infosecnews.org

Call for Papers - you Sh0t the Sheriff 4 - Security Conference, Brazil

2009-12-02T22:44:26Z

Forwarded from: Luiz Eduardo <le (at) ysts.org>

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

Hello InfoSecNews readers,

The call for papers for the yStS (you Sh0t the Sheriff) conference is now
open!

The 4th edition will be, once again, held in Sao Paulo, Brazil, on May
17th, 2010.

INTRODUCTION

you sh0t the Sheriff is a very unique event dedicated to bringing cutting
edge topics to the top-notch Information Security Community in Brazil.

yStS mixes the highest quality presentations and speakers from all over the
globe, covering diverse topics in information security.

Our goal is to help attendees understand the current state of the
information security world by mixing professionals and topics from
different Infosec segments of the market.

For the most part, yStS is an invite-only event. So, submitting a talk is
certainly a good hack to try to be there, especially if you're local.

Due to the success of previous years' editions, yes, we're keeping the same
format:
* Kicked-back and cool environment
* YSTS 4 will be held at an almost secret location (only announced to whom
it may concern a couple of weeks before the con)
* and, once again, this secret location will be, most likely, a club or a
bar
* and yes, we have (some) food and (lots of) drinks

CONFERENCE TOPICS

The focus for YSTS 4 is anything related to InfoSec, including (but not
limited to):
* Operating Systems
* Career and Management topics
* Mobile Devices/Embedded Systems
* Information Security Audit and Control
* Social Networking
* Information Security Policies
* Messing with Protocols
* Networking/Telecommunication
* Wireless and all RF related stuff
* Incident Response & other applicable (and useful) Infosec Policies
* Information Warfare
* Malware/ BotNets
* User awareness/ Social Networking Threats
* Secure Programming
* Hacker Spaces/ hacker community
* Fuzzing
* Physical Security
* Virtualization
* Webapp Security
* "the" Cloud
* Cryptography / Obfuscation
* Infrastructure and Critical Systems
* Caipirinha and Beer Hacks
* and everything else security related you might think would be good for
the conference

We do like shorter talks, so, please submit your talks and remember they
must be 30 minutes long.
The new thing for this year is that we also are opened to some 15-minute
talks.
Some of the smart people around might not need 30 minutes to deliver a
message, or it might be a project that has been just kicked-off.
15 minutes might be your thing and that's nothing to be ashamed about.

you Sh0t the Sheriff is the perfect conference to release your new
projects, trust us. And yes, we do prefer new stuff and "first-time"
speakers are more than welcome. If you got good stuff to speak about,
that's all that matters.

SPEAKER PRIVILEGES
(applies only to the 30 minute-long talks)

* USD 1,000.00 to help covering travel expenses for international speakers
* Breakfast, lunch and dinner during conference
* After-conference official party (and the unofficial ones)
* Auditing products in traditional Brazilian barbecue restaurants
* Life-time free admission for all future yStS conferences (yes, if you 've
spoken before at yStS, you have your free-entry guaranteed, just buy us a
beer, ohh, wait, it's free anyways, isn't it?)

CFP SUBMISSION

Each paper submission must include the following information:

* Name, title, address, email and phone/contact number
* Short biography and qualification
* Speaking experience
* Do you need or have a visa to come to Brasil?
* Summary or abstract for your presentation
* is it a 30 minute or a 15 minute talk?
* Technical requirements (others than LCD Projector)
* Other publications or conferences where this material has been or
will be published/submitted.

We do accept submissions in English, Portuguese or Spanish.

IMPORTANT DATES

Final CFP Submission - February 28th, 2010
Final Notification of Acceptance - March 20th, 2010
Final Material Submission for accepted presentations - May 5th, 2010

Please send your talk submission to cfp/at/ysts.org

CONTACT INFORMATION

Paper Submissions: cfp/at/ysts.org
General Inquiries: b0ard/at/ysts.org
Sponsorship Inquiries: sponsors/at/ysts.org

OTHER STUFF

Check our archives session, including the videos, at www.ysts.org

We hope to see you there!

Luiz Eduardo & Nelson Murilo & Willian Caprino
http://www.ysts.org

-----BEGIN PGP SIGNATURE-----
Version: PGP Desktop 9.8.3 (Build 4028)
Charset: utf-8

wj8DBQFLFtf0go//xpeLCaoRAiZaAJ4ltnW3gbXkAhf8AlmJ/+4dHPaPGQCfSkWY
YlJlnWbDnnqZJdSA3U0bg0o=
=FIfV
-----END PGP SIGNATURE-----

________________________________________
Did a friend send you this? From now on, be the
first to find out! Subscribe to InfoSec News
http://www.infosecnews.org

Cyber Warfare Command to Be Launched in January

2009-12-02T22:43:43Z

http://www.koreatimes.co.kr/www/news/nation/2009/12/205_56502.html

By Jung Sung-ki
Staff Reporter
The Korea Times
12-01-2009

The Ministry of National Defense will launch a cyber warfare command
next month, officials said Tuesday.

The command will conduct both defensive and offensive cyber operations
under the direction of the defense minister, they said.

Previously, the ministry had been considering establishing a cyber
command under the control of the Defense Security Command (DSC), whose
mission is to defend military networks against computer attacks.

The command will be led by a major general and have 200 specialists, the
officials said.

Earlier this year, the DSC said the country's military computer networks
faced about 95,000 reported hacking attacks per day on average.

In July, the government and industrial computer networks suffered from
massive distributed denial of service (DDoS) attacks for several days.

Some intelligence sources from South Korea and the United States blamed
North Korea for the attacks, though no solid evidence has been found to
support those claims.

North Korea is known to operate a cyber warfare unit that specializes in
hacking into South Korean and U.S. military networks to extract
classified information.

________________________________________
Did a friend send you this? From now on, be the
first to find out! Subscribe to InfoSec News
http://www.infosecnews.org

Metasploit Gets New Vulnerabilty Scanning Features

2009-12-02T22:43:29Z

http://www.darkreading.com/vulnerability_management/security/attacks/showArticle.jhtml?articleID=222000147

By Kelly Jackson Higgins
DarkReading
Dec 01, 2009

A new version Metasploit released today includes integrated
vulnerability scanning for the popular open source penetration testing
tool.

Rapid7, which recently purchased Metasploit, today announced both the
new version of Metasploit, 3.3.1, as well as a new free version of
Rapid7's NeXpose vulnerability scanner. The NeXpose Community Edition is
basically a slimmed-down version of the company's enterprise-class
scanner that's limited in the number of IP's it can scan.

The free NeXpose version is integrated with Metasploit 3.3.1 with a
plug-in to the Metasploit console. "This integration is the first to
actually run the [vulnerability] scan and do the import of the data for
you," says HD Moore, chief security officer for Rapid7 and creator of
Metasploit. It lets the penetration tester run the scan, import the
data, and automatically run exploits against the vulnerabilities, he
says.

"This is the first step in the integration" of Metasploit and the
NeXpose vulnerability scanning platform, Moore says. The tools work
together from the Metasploit console with a command-line plug-in: the
penetration tester loads Metasploit, connects to NeXpose, and runs the
scan from there. The scan data is then brought in to Metasploit and
cross-referenced with Metasploit's modules, which then are automatically
launched to test out the vulnerabilities, he says. "The whole process is
from the Metasploit console," he says.

[...]

________________________________________
Did a friend send you this? From now on, be the
first to find out! Subscribe to InfoSec News
http://www.infosecnews.org

Sequoia opens kimono with e-voting code handout

2009-12-02T22:43:15Z

http://www.theregister.co.uk/2009/12/02/sequoia_source_code_disclosure/

By Dan Goodin in San Francisco
The Register
2nd December 2009

Sequoia Voting Systems has become the first electronic voting machine
maker to publish the source code used in one of its systems, a move that
computer scientists have praised.

On Monday, the Denver, Colorado company released the first batch of code
for Frontier, an end-to-end e-voting system that it plans to begin
selling in the near future. Sequoia has promised to release the
blueprints for 100 per cent of its system software, including firmware,
before the system is submitted for federal certification in June.

To be sure, the initial installment is fairly mundane: code written in
Microsoft's C# programming language that acts as a desktop publishing
program of sorts for controlling the layout of a ballot. But the move
represents a seismic shift in strategy for Sequoia, which in the past
has gone to great lengths to keep third parties from reviewing the inner
workings of its machines.

"They completely reversed their viewpoint from a viewpoint that was very
much closed source to a viewpoint that is very much disclosed source,"
said Jeremy Epstein, a senior computer scientist at SRI International
and an e-voting consultant.

[...]

________________________________________
Did a friend send you this? From now on, be the
first to find out! Subscribe to InfoSec News
http://www.infosecnews.org

Wanted: A Smokey Bear for cybersecurity

2009-12-02T22:43:00Z

http://fcw.com/articles/2009/12/02/smoky-bear-cybersecurity.aspx

By Amber Corrin
FCW.com
Dec 02, 2009

Cybersecurity has become more than a homeland security issue; it has
become a national lifestyle issue that hinges on raising education at
the individual level, a panel of information security experts said
today.

"If the U.S. is going to continue to be a center of innovation in the
world, we need to up our game. and get on par with the science,
engineering and technology schooling of China and India, according to
Richard Schaffer, information assurance director at the National
Security Agency.

"It's a U.S. problem; it.s a challenge that, [if left] unmet, is going
to put us in a dangerous situation in 10 or 20 years when we can't
afford to be in second place. We never want to be in second place,"
Schaffer added.

Beyond formal education, U.S. cybersecurity strategy needs to develop a
public awareness campaign that permeates the workplace, schools and
homes -- much like the development of Smokey Bear in the 1970s to
promote fire safety, panelists said.

"This [campaign] needs to include secretaries, administrators,
front-line people who have no idea [about technology and cyberspace] -
not just front line cyber operators," said Adam Meyers, an SRA
International information assurance principal who currently works with
the State Department.

[...]

________________________________________
Did a friend send you this? From now on, be the
first to find out! Subscribe to InfoSec News
http://www.infosecnews.org

The Fruit of the Poisoned Tree

2009-12-02T22:42:48Z

http://www.networkworld.com/news/2009/113009-criminal-hackers.html

By M. E. Kabay
Network World
12/02/2009

Should we hire criminal hackers as security experts? This is the second
of a two-part attack on the idea from a 1995 debate in which I
participated.

* * *

On a broader scale, consider the message you would be giving some
thirteen year old proto-hacker. These kids, like most kids, are
tremendously susceptible to peer pressure. They already find criminal
hacking attractive because it's viewed as today's counter-culture --
something fairly harmless (compared with, say, dealing drugs) but
exciting because it's illegal. Now imagine that the older creeps can
announce that they've just been hired by The Man (i.e., authority
figures) to work in counter-intelligence, snooping in foreign companies'
files for money (you don't imagine they'd keep it quiet, do you?) -- Oh
man -- not only is criminal hacking glittering with the allure of the
forbidden now, but you can hope to earn money with it from the
government!

The children and emotionally-arrested adolescents involved in criminal
hacking already have a love/hate attitude towards The Man. Many of them
claim that they'd like to work for security firms when (if) they grow
up. This myth that criminal hacking is a reasonable basis for work in
security would become even more pernicious if it were known that more
hackers had in fact been solicited and used by government or corporate
organizations. Using such people would reinforce the attractiveness of
criminality.

Consider the outcry if the military in a democracy actively solicited
murderers to be soldiers. The great challenge of military training is to
temper savagery with honor; to provide a moral framework within which
war is viewed as undesirable, killing as regrettable. A soldier who lies
is a stain on his unit's honor. A soldier who steals is a wretch who
deserves expulsion. And a soldier who breaks his word is a traitor to
his country. And so how shall we deal with people whose entire way of
life is to lie and to steal and to cheat?

[...]

________________________________________
Did a friend send you this? From now on, be the
first to find out! Subscribe to InfoSec News
http://www.infosecnews.org

Help InfoSec News with a Donation

2009-12-01T01:12:20Z

http://www.infosecnews.org/donate.html

Richard Clarke once said...

"If you spend more on coffee than on IT security, then you will be
hacked. What's more, you deserve to be hacked."

For $1.00 at the local diner, you can buy a bottomless cup of coffee. At
the local bookstore, a large three shot, double latte soy cappuccino is
about $6.25. Ideally we'd like to see every InfoSec News reader
sacrifice at least three (or more) days without his or her coffee to
enable us to continue the work we've been doing, but also improve our
services.

Donation drives in the past have implemented the InfoSec News RSS feed,
a digest version of InfoSec News, and the capability to run searches of
past InfoSec News articles. A fast server was donated and has been
running for some two and a half years, I can't say enough good things
about our hosting company except with present economic conditions at
this end its been tough trying to cover the related expenses of keeping
it all up and running.

A donation of $3 to $7 isn't a lot when you consider the work done
behind the scenes here, such as dealing with Microsoft SMTPSVC, bounced
mail, and dead addresses. Its no small feat finding, filtering,
formatting, and analyzing the news stories that more than 5300
information security, homeland defense, and open source intelligence
professionals depend on, on a daily basis.

http://www.infosecnews.org/donate.html

Through PayPal we can accept donations in all the major currencies
however, PayPal keeps 2.9% of your payment plus a fixed cost of $0.30
per transaction.

If you don't trust Paypal, that's OK, the mailing address here is...

William Knowles
Post Office Box 24
Golf, Illinois 60029-0024
U.S.A

The 468 x 60 banner space are available, companies or organizations
interested in sponsoring the list can contact me at: wk (shift2)
infosecnews [dot] org and I'll send the brief media-kit.

Donations to infosecnews.org may be deductible as an operating expense
and advertising is deductible as an operating expense. Contact your
accountant or tax professional for the exact determinations. The same
applies in other countries where corporations can make deductible
donations under the terms of "Good Will".

We greatly appreciate any amount you're willing to send out way,
Thank you for your continued support!

William Knowles
InfoSec News
@infosecnews.org

________________________________________
Did a friend send you this? From now on, be the
first to find out! Subscribe to InfoSec News
http://www.infosecnews.org

Restaurants Sue Vendor for Unsecured Card Processor

2009-12-01T01:12:00Z

http://www.wired.com/threatlevel/2009/11/pos/

By Kim Zetter
Threat Level
Wired.com
November 30, 2009

Seven restaurants have sued the maker of a bank card-processing system
for failing to secure the product from a Romanian hacker who breached
their systems.

The restaurants, located in Louisiana and Mississippi, have filed a
class-action suit against Georgia-based Radiant Systems for producing a
point-of-sale (POS) system that they say was not compliant with payment
card industry security standards and resulted in an undetermined number
of customers having their debit and credit card numbers stolen.

The suit alleges that the system stored all of the data embedded on the
bank card magnetic stripe after the transaction was completed -- a
violation of industry security standards that made the systems a
high-risk target for hackers.

Also named in the suit is Computer World, a Louisiana-based retailer,
which sold and maintained Radiant's Aloha POS system.

According to plaintiffs, Computer World's technicians allegedly
installed the remote-access program PCAnywhere on the systems to allow
its technicians to fix technical problems from off-site. The only
problem is, the company failed to secure the program. The suit alleges
that the system was not up to date with software patches, and the
PCAnywhere remote log-in and password that technicians used to access
the POS systems was the same at every one of the 200 Louisiana locations
where the system was installed. According to one of the plaintiffs who
spoke with Threat Level, the default login was "administrator" and the
password was "computer."

[...]

________________________________________
Did a friend send you this? From now on, be the
first to find out! Subscribe to InfoSec News
http://www.infosecnews.org

Gilbert man loses job in case tied to alien-search software

2009-12-01T01:11:48Z

http://www.azcentral.com/news/articles/2009/11/30/20091130searchforaliens1202.html

By Emily Gersema
The Arizona Republic
Nov. 30, 2009

The search for intelligent life apparently has stopped for Brad
Niesluchowski.

Higley Unified School District records obtained by The Arizona Republic
show that Niesluchowski, of Gilbert, resigned in October after an
investigation into suspicious activity, including the use of a program
that searches satellite signals for extraterrestrial life.

According to the documents, district officials said they found
Niesluchowski had abused his authority in purchasing and oversight of
district technology and equipment, and downloaded to every district
computer a University of California-Berkeley program that relies on
volunteers and their personal computers to search satellite-collected
data for signs of intelligent life in outer space.

Higley officials so far estimate the damages, energy usage and equipment
losses linked to Niesluchowski at $1.2 million to $1.6 million.

District administrators hand-delivered a notice of termination of
contract for cause to Niesluchowski on Oct. 7, which he refused to sign.
He instead consulted an attorney, and then resigned at the attorney's
advice.

According to the termination letter, Niesluchowski faces several
allegations that he violated the terms and responsibilities of his
contract and ethics policies - and is the focus of a criminal
investigation. Documents show:

* During a warranted search of his home earlier this fall, Gilbert
police found 18 computers and other equipment stolen from the
district.

* District officials said they learned Niesluchowski never installed
firewalls that would protect students' and staff members' personal
information from hackers, exposing district computer and data to
potential tampering or damage.

* District officials also say he failed to train and supervise other
tech staff.

* Officials allege he downloaded to every district computer a University
of California-Berkeley program known as "SETI@home." SETI is short for
the "Search for Extra Terrestrial Intelligence."

[...]

________________________________________
Did a friend send you this? From now on, be the
first to find out! Subscribe to InfoSec News
http://www.infosecnews.org

I Was Wrong: There Probably Will Be an Electronic Pearl Harbor

2009-12-01T01:11:09Z

http://www.csoonline.com/article/509213/I_Was_Wrong_There_Probably_Will_Be_an_Electronic_Pearl_Harbor

By Ira Winkler
CSO
November 29, 2009

For 15 years now, I have been publicly lambasting all of those people
who have made their careers, or at least made fleeting news headlines,
based on their declaration of an imminent Electronic Pearl Harbor. My
disdain is based on several factors, but predominantly the lack of
accountability for such statements. One industry analyst, for example,
stated that there will be such an event by the end of 2003. Six years
later, I didn't see anyone revisit the utter lack of such an event.

However, I now see things developing to the point where there can be a
strategic attack on computer infrastructures. The key word is Strategic.

Another major issue I have with the people who stake their fame in
information warfare is the lack of apparent understanding in the concept
of military and geopolitical issues. Specifically, strategy implies long
term impacts, generally at least 3-6 months. Tactical attacks have short
term impacts. Yes, we have had many tactical attacks against different
infrastructures. However, comparing these attacks to Pearl Harbor is
insulting.

Pearl Harbor was a preemptive strike against the US Pacific Fleet. It
significantly degraded the US Naval capability for several years. If the
aircraft carriers were in Pearl Harbor as the Japanese expected, it
could have been a complete knockout blow. So the question becomes, what
can make a computer attack strategic?

[...]

________________________________________
Did a friend send you this? From now on, be the
first to find out! Subscribe to InfoSec News
http://www.infosecnews.org

CERT Australia pushes on network security

2009-12-01T01:10:58Z

http://www.theaustralian.com.au/australian-it/cert-australia-pushes-on-network-security/story-e6frgakx-1225805518322

By Karen Dearne
The Australian
December 01, 2009

The new computer emergency response team, CERT Australia, will expect
internet service providers to be more active in cleaning up infected
computers operating on their networks.

Following the federal government's e-security review last year, the
Internet Industry Association has been hammering out a voluntary ISP
code of practice aimed at identifying botnet activity and alerting
customers to security breaches.

Attorney-General's Department national security resiliency division head
Mike Rothery said CERT Australia would be a two-way clearing house for
notifications from local and international authorities, with
responsibility for tracking down compromised machines in Australian
domains.

"We'll be establishing relationships with our CERT counterparts so that
if we identify (attacks coming from) compromised machines overseas, we
can ask those authorities to trace the actual owners and seek that those
be cleaned up," Mr Rothery said.

"Where identified machines appear to be in Australia -- and the
notification may come from overseas or from a local ISP or web hosting
company -- we will track down the owners through their ISP or web host
and tell them their machines have been compromised.

[...]

________________________________________
Did a friend send you this? From now on, be the
first to find out! Subscribe to InfoSec News
http://www.infosecnews.org

The nation needs a clear cyber war doctrine

2009-12-01T01:10:47Z

http://gcn.com/articles/2009/11/30/cybereye-cyberwar-doctrine.aspx

By William Jackson
GCN.com
Nov 30, 2009

A recent study from McAfee on cyber crime and cyber warfare concluded
that, like it or not, the world.s information infrastructures are
becoming theaters of war, as nations develop offensive and defensive
capabilities to wage cyber warfare.

"Cyber weapons exist, and we should expect that adversaries might use
them," said James Lewis, director of the Technology and Public Policy
program at the Center for Strategic and International studies. Lewis is
one of 2,000 national and cybersecurity experts who were interviewed for
the study.

The threat of cyber war is not comforting, but more disturbing is the
fact that we do not know how to use the weapons we are developing. Our
ability to defend ourselves and to take the struggle to our enemies is
hindered by the difficulty in understanding the sources and motives
behind what might be considered hostile action against our networks and
systems. Unlike attacks by conventional and nuclear military weapons,
cyber attacks tend to be asymmetrical, remote and hidden. It is
difficult to tell who is behind an attack and what its objective is.

It is easy to blame North Korea or China for intrusions that seem to be
launched from computers in those countries, but the location of a
computer or network launching an attack says little about who is behind
it.

[...]

________________________________________
Did a friend send you this? From now on, be the
first to find out! Subscribe to InfoSec News
http://www.infosecnews.org

Cyber crime danger

2009-12-01T01:10:35Z

http://www.fijitimes.com/story.aspx?id=134569

Fiji Times
November 30, 2009

THE Police Force has forecast cyber crimes to increase by 40 to 50 per
cent from 2010 to 2012.

Jemesa Lave of the police cyber crime unit said in these two years, it
was anticipated that more complicated technological crimes would be
perpetrated in Fiji.

Coupled with this, he said was the anticipated shift from conventional
criminal operations to cybercrime.

"We need legislation, we need to ensure that standards are put in place
to address computer crime issues," Mr Lave said.

He said people needed to be aware that computer crimes knew no borders.

Mr Lave said the major challenge for Fiji was having implemented
legislations to cover this.

He said at present, the police had some degree of capability to detect
and investigate recently enacted decrees to ensure offenders were
brought to decide.

At the cyber crime unit, there are 13 INTERPOL trainers in IT crime
investigation, two certified computer forensics specialist, computer
forensics specialists, one certified application forensics speciality,
and one certified mobile forensics specialist.

Mr Lave said 70 per cent of the reports they received had been
investigated by CID headquarters.

________________________________________
Did a friend send you this? From now on, be the
first to find out! Subscribe to InfoSec News
http://www.infosecnews.org

Priyanka's twitter update could be security threat

2009-12-01T01:10:21Z

http://www.mid-day.com/lifestyle/2009/nov/231109-Priyanka-Chopra-Twitter-account-Security.htm

[Ankit Fadia, India's uber hacking expert, appears to heavily promote
Viagra, or been hacked by evil spammers that found a way to subtlety
deface the web page. - http://attrition.org/errata/sec-co/fadia01.html - WK]

By Kumar Saurav
Mid Day
2009-11-23
Mumbai

Not just Priyanka Chopra, but any celebrity or public figure's Twitter
updates can jeopardize national security, claims 24 year-old ethical
hacker Ankit Fadia

Mumbai-based cyber security consultant Ankit Fadia, who claims that his
website Hacking Truths was judged as the second best hacking site in the
world by the FBI, says social networking sites are the latest threat to
India's security. The potency and penetration of social networking in
the country has made it possible for anyone to track and connect with
film stars, politicians and other public figures who were once beyond
reach.

Karan Johar, Priyanka Chopra, Aishwarya Rai, Shashi Tharoor and Barack
Obama are just a few from a whole bunch of celebrities who update their
Twitter status regularly. But "are they doing it wisely?" is what Fadia
asks.

Why are you apprehensive about celeb tweeting?

If you follow celebs, you'll observe that they disclose information on
where they are shooting, what their shooting schedule looks like and the
hotel they are put up at. Unintentionally, they are inviting trouble,
because troublemakers are hungry for such information.

Any instances?

Singer Britney Spears' account on Twitter is hacked almost once every
two months. One of the hackers even claimed on her wall, that he's her
public relation officer and that Britney is dead, with details about the
date and venue of her funeral.

Indian politico Shashi Tharoor's account has been hacked several times
too. Even Big B and Aamir Khan's blog were hacked. Once a blog, website,
social networking account is hacked, a hacker has full control over it.
He can spread rumours, communicate with fellow criminals, and indirectly
make you a partner in their crime.

How would you rate the technical stylishness of terrorists?

They are far ahead. When I was asked by the US intelligence to decode
some scripts after the 9/11 attacks, I was stunned to see the kind of
technology they used to communicate. The agencies had tracked some
emails where a few individuals were frequently exchanging photographs of
Canadian rockstar Avril Lavigne. Hidden text messages that aren't
visible to the naked eye, were being exchanged through these pictures.

What about Mumbai's 26/11 terror attacks?

For 26/11, they had used highly secured Voice Over Internet Protocol
(VOIP) like Skype to communicate with each other. The data on VOIPs'
servers is so huge that by the time you track them, the damage has been
done and criminals are out of reach. The 26/11 terrorists had used the
"proxy bouncing" technique, where in they were sending messages through
a Saudi Arabia based server, while they were actually sitting in
Pakistan.

Why is tracking such messages so difficult?

They know the loopholes, and how to use them affectively. Suppose three
terrorists A, B and C want to communicate with each other, what they do
is create a Twitter account and follow each other, thus forming a closed
group. So if A posts a message saying "Plant Bomb at Parliament at 11
am", just B and C will be able to see the message. And since Twitter is
based in the US, Indian authorities wouldn't have control over this
exchange of messages.

Tracking messages is another problem. I will track a suspicious mail
only if it's sent. If A wants to communicate with B, he will type an
email and save it as a draft instead of sending it. Now B, whose has A's
password will log in to A's account, read the mail in the "Draft"
folder. Since the mail hasn't been sent, it becomes almost impossible to
track it.

How do spammers and hackers operate in social networking sphere?

There are viruses, worms, spyware and malware that spread through social
networking websites. One day, you receive a private message from one of
your friends (who is already infected) containing a link to a Youtube
video. Halfway through the video, it will prompt you to download some
video plugin. Since the message comes from your friend, you trust it,
but the moment you click it, you get infected. Get rich quick schemes,
earn money online scams and various money laundering attacks now come
through social networking sites.

________________________________________
Did a friend send you this? From now on, be the
first to find out! Subscribe to InfoSec News
http://www.infosecnews.org

State dinner crashers greeted President Obama

2009-11-29T23:45:10Z

http://www.washingtonpost.com/wp-dyn/content/article/2009/11/27/AR2009112702650.html

[First thought that came to mind after hearing this was the season
finale of Day 2 on '24' - President Palmer is shaking hands with many of
the onlookers, one of them being a woman hired in Day 1 to assassinate
Palmer. She slips a deadly virus into his hand, and President Palmer
collapses to the ground, panting. - WK]

By Jason Horowitz, Roxanne Roberts and Michael Shear
Washington Post Staff Writers
November 27, 2009

Getting to the president is supposed to be tougher than this.

According to a White House official, Michaele and Tareq Salahi, the
couple previously best known for auditioning for a Bravo reality
television show, not only got through various Secret Service checkpoints
at Tuesday night's state dinner but also went through the receiving line
and personally greeted President Obama. Their high-profile home invasion
penetrated the most vaunted security apparatus on Earth, and the Secret
Service issued its apologia on the subject late Friday.

A statement issued by Director Mark Sullivan said the agency was "deeply
concerned and embarrassed by the circumstances surrounding the State
Dinner" and added that "the preliminary findings of our internal
investigation have determined established protocols were not followed at
an initial checkpoint, verifying that two individuals were on the guest
list."

Sullivan added, "Although these individuals went through magnetometers
and other levels of screening, they should have been prohibited from
entering the event entirely. That failing is ours."

[...]

________________________________________
Did a friend send you this? From now on, be the
first to find out! Subscribe to InfoSec News
http://www.infosecnews.org