Subscribe to the RSS feed

The SANS Institute Internet Storm Center is warning users of jailbroken iPhones that a new worm is targeting their hacked phones. So how dangerous is it, really?

Comment on this blog entry

As part of its monthly ritual, Microsoft in its Security Bulletin Advanced Notification for this month warned of a number of nasty vulnerabilities in its operating systems and productivity software.

Comments(2)

Techies are seeking professional certifications in emerging areas like healthcare and green IT, and especially old standbys like IT security, according to a new survey.

Comment on this blog entry

A Manhattan DA brought an 149-count indictment accusing a computer technician of stealing the identities of more than 150 employees of the Bank of New York Mellon and using those identities to orchestrate more than $1.1 million in thefts against charities and non-profits, among other institutions.

Comment on this blog entry

New open source honeypot sets bait to lure attackers and to gain first hand information on current attack techniques underway.

Comment on this blog entry

Blue Coat has identified a new malware trick just in time for Halloween. Unsuspecting victims are redirected to one of two malware sites after searching for Halloween related sites. These distribution sites are typically used for hosting of warez, pirated digital content, but have been switched to malware distribution in the past 12 hours.

Comment on this blog entry

Mozilla just released 16 patches for vulnerabilities in Firefox. Eleven of the flaws are critical, and affect a number of components in the browser.

Comment on this blog entry

The news site Guardian is warning members of its UK jobs site that the site has been breached, and that personal data may been snagged.

Comments(1)

Hacks targeting U.S. government computers are coming from China. We knew that. The Chinese hackers are relying on zero-day software vulnerabilities to exploit critical systems. So, tell me again: why aren't we doing more to require applications be built secure from the start?

Comment on this blog entry

For the past two days I have been back in Seattle. It was almost two years ago I left the city, and was not sure when I'd get a chance to return. Microsoft's BlueHat security conference was a great reason to come back to my favorite rainy city.

What is BlueHat?

Comment on this blog entry

Earlier this year, the botnet Gumblar made a splash when it infected more than 2,300 Websites, including popular destinations such as Tennis.com, Variety, and Coldwellbanker.com. Now, security researchers say Gumblar is back in strength and is changing its tactics.

Comments(3)

Attackers have been known to encrypt user files (such as happened with Gpcode), and then demand payment for the decryption key, for some time. These so-called rogueware, including scareware, attacks have been underway for some time. Now scammers have upped their attack tactics.

Comment on this blog entry

The think tank RAND came out with an Air Force funded paper that concludes spending money on operational cyberwarfare is a waste of budget. I agree.

Comment on this blog entry

The healthcare reform bill that passed a key Senate committee today contains several health IT related provisions. Among them are new rules regarding HIPAA, including a proposals allowing the periodic update of HIPAA standards, and fines to health plans that don't comply to HIPAA "operating rules" by April 2014.

Comment on this blog entry

Next Tuesday Microsoft plans to release 13 separate security bulletins that will cover more than 30 individual patches. More than half of the bulletins are ranked as "critical."

Comment on this blog entry

A suspected denial-of-service attack aimed at Amazon Web Services (AWS) this past weekend shut down a code hosting service for nearly 24 hours. I don't see this as a security issue specific to cloud computing, rather just another disruption to availability like all of the others.

Comments(2)

You've probably heard the horror stories around private and confidential files being exposed via peer-to-peer network sharing. Federal lawmakers are now stepping up their efforts to keep sensitive data from inadvertently leaking to the public.

Comments(7)

Typically, banking customers discovered they'd been victimized by cyber-crime when they discovered their bank accounts emptied. No more. According to this report, online thieves are getting craftier at covering their tracks to go undetected for longer stretches of time.

Comment on this blog entry

The guilty plea entered into federal court last week, by a contract IT worker, for disrupting a computer system used to monitor off-shore oil platforms shows that illegal hacking is likely to increasingly danger the physical world.

Comments(1)

That's right. A survey conducted by the Ponemon Institute, and backed by security firm Imperva, says that the vast majority of firms don't view the Payment Card Industry Data Security Standard (PCI DSS) as a strategic initiative.

Comments(1)

While the growth of the security software market took a hit this year, along with most every other market segment, it's still pegged to grow 8 percent, year over year, according to a market research firm. There's also stronger growth ahead.

Comments(1)

Most enterprises and Web users probably think that if they simply keep their anti-virus systems up to date, that they're in good shape. A pair of reports published by NSS Labs today dispels any such notion.

Comment on this blog entry

While the move by Microsoft to file five civil lawsuits to help fight malicious online advertisers, the winning bet is probably not going to be on this having a big impact on malicious advertising any time soon. There's just too much money being made.

Comment on this blog entry

Think most PC and end point infections are quick hits? Think again. Research released today shows that once infected, systems tend to stay that way for a long, long time.

Comment on this blog entry

A gray-hat hacker with a reputation for outing corporate Web site vulnerabilities says he's uncovered SQL injection flaws in the Web site of RBS WorldPay. RBS responded, saying no customer data was accessed.

Comment on this blog entry

Against the backdrop of rising malware threats and organized cybercriminal rings, a national cybersecurity initiative is taking shape which will bring a "locked down" mentality to the way we authenticate users, apps, and anyone or anything that touches a network. I'm talking about the Cryptographic Key Management (CKM) project that is being run out of the National Institute of Standards and Technology's Computer Security Division.

Comment on this blog entry

As security professionals we are paid to know how to do bad things. We must know how to do these bad things in order to defend from bad people. What separates us from the criminals is our integrity. We hack for the good of humanity.

Comment on this blog entry

More than 800 people registered for a conference being held in Niagara Falls, NY to discuss the possible nightmare outcome of an electromagnetic pulse (EMP) attack on the continental U.S. A fix is startlingly cheap, but remains ignored.

Comment on this blog entry

Security managers and operation teams will be greeted with a handful of significant Microsoft patches when they return to work Tuesday afternoon. Unfortunately for them, the most aggravation and the significant danger may come from the patch that isn't on the docket.

Comment on this blog entry

A new certification program could make it easier for healthcare organizations to decide whether their IT security products meet their compliance needs.

Comment on this blog entry

When it comes to cyberwar, real cyberwar, perhaps the most damaging attacks won't come in the form of denial-of-service attacks, but be aimed directly at our energy supply.

Comment on this blog entry

A security firm's assessment of the malware protection capabilities that was leaked prior to Friday's release shows that Apple's Snow Leopard won't be chasing down much malware.

Comment on this blog entry

Amazon, purveyor of the EC2 public cloud, suddenly announced Aug. 26 it’s a private cloud supplier. Isn't there something wrong with a multi-tenant, shared resource provider transforming itself into a private cloud service? I'm not sure Amazon can offer a private cloud --yet. Then again, I see no reason why it couldn't sometime in the future.

Comments(2)

An important Trend Micro paper, spotlighting a cybercriminal hub operating out of Estonia, has surfaced on Slashdot. The racket here is that a seemingly legitimate Internet Service Provider is in reality the headquarters for a rogue network, which extends into Europe and the United States. The breadth of the deception outlined in the paper is scary; doubly so because cybercrime is emerging as the single biggest security threat of the next decade.

Comments(1)

Apple security firm Intego posted a hint that Snow Leopard, the new Macintosh operating system that is due for release this Friday, may contain some level of anti-malware detection.

Comment on this blog entry

Medical data breaches are on the rise. Much in the same way that credit card breach notifications skyrocketed following California's enactment of SB 1386, California's medical breach laws are doing the same now with patient data. Unlike financial breaches, however, federal rules are now coming into play.

Comments(1)

As you probably know, A federal grand jury has indicted Albert Gonzales, 28, of Miami, Fla., for allegedly hacking into computers belonging to retail and financial companies and stealing more than 130 million credit and debit cards. And the hacking didn't involve anything more than standard SQL injection attacks.

Comments(2)

Visa Inc. and Fifth Third Bancorp are testing a novel technique at authenticating in-person credit and debit card transactions by using a fingerprint created by the individual magstripe on each card.

Comments(7)

A group of computer scientists have shown how voting results, held in electronic voting machines, can be changed using a novel hacking technique. It's yet another reason why we need to have a verifiable, auditable, paper-trail for electronic voting machines.

Comments(1)

Every day I speak with numerous security product companies. The reasons for these discussions vary. Some are pitches for InformationWeek product reviews, others are for my security consulting day job at Alvarez and Marsal (yes, shameless plug), and some are for companies I advise. Here is my dilemma. I am pitched so many products each day but I rarely hear of anything that is really new and ground breaking.

PR reps, keep reading and don’t bombard me with hate emails. Yet.

Comments(1)

If you are a Microsoft Windows user, chances are there's a patch waiting for you tomorrow.

Comment on this blog entry

As news of the Facebook and Twitter DDoS trickles in, I ponder why attackers launch attacks in the way they do. I don’t even really consider why they do it, just why they take a certain approach.

Comments(2)

There’s been a a lot of talk about SSL security since last week’s Black Hat conference. While these attacks are significant, I don’t see them as changing the security posture of the Web.

Comments(2)

Cryptographic researchers have uncovered a new attack against the ubiquitous AES encryption algorithm. While there have been a number of complex attack aimed at AES recently, this one, experts warn, may be practical enough for run-of-the-mill attackers to exploit.

Comments(1)

If one of the most important disciplines necessary for keeping systems secure is a systematic vulnerability management program, why have so few organizations reached a decent level of maturity in their patch management efforts?

Comments(1)

With one bombshell already having been dropped at the BlackHat Conference (that most implementations of SSL are configured to give up everything including logins, credit cards, etc.), researchers dropped another one today when they demonstrated how the SMS infrastructures of GSM-flavored operators such as AT&T and T-Mobile are hackable to the point that cell phones can be hacked and their users can be tricked into divulging confidential information.

Comments(4)

McAfee and the FBI teamed up at Black Hat to discuss Russian online organized crime. The standing room only presentation was part fact and part hype. With a mission to publicize the FBI’s work, Russians were made to be some of the most organized and threatening of all cybercriminals. While this could be true, the connections to American and other hackers around the world were drawn and cannot be ignored.

Comments(2)

The ubiquitous DNS server standard, Bind 9, is vulnerable to an exploit that has already been made public, the Internet Systems Consortium warned.

Comments(3)

UPDATE: The rumor here is that the attacks did indeed happen, but the significance of it is actually quite small--not worth paying attention to, since attention is clearly what the attackers are seeking. More to come.

BlackHat, Kinda: Yesterday a hacking group released details (http://sh0dan.org/zf05.txt) of a number of successful attacks they conducted, apparently with the principal purpose of embarrassing some of the security industry's most well-known experts. The group claims that they collected about 75,000 passwords, including those of a few security experts speaking at the BlackHat Briefings today and tomorrow.

"Welcome one and all to the real Black Hat Briefings," reads the site. "Live from the underground, coming right at you free of charge."

Comments(1)

So the theory goes: one strategic Electromagnetic Pulse explosion (EMP) detonation over the mid-west United States could cripple the power grid, and even stop most electronic devices from a car's ignition to medical devices to radios and TVs to PCs from functioning. So what, if anything, are we doing about it?

Comments(1)