Src: Terrorists turn technology into weapon of war in Mumbai (The Courier-Mail)
Malware Database (web)
Malware Database (twitter)
Sr: Patching offline virtual machines (Security4all)
Larry Pesce of PaulDotCom.com has been working on his SANS paper, and has numerous postings (latest one here) about tools like MetaGooFil and others to extract information from local and web documents.
Src: How video and pictures can be a threat to security ( ThreatChaos)
How long before spammers start sending text messages to all cell phone numbers with the command: remote-erase-all-data-now?
Slashdot commentary on Lenovo Service Disables Laptops With a Text Message
Original story on eWeek
On the licensing side, the user is faced with a barrage of cryptic codes to enter, if they remember where they put the license key in the first place. How about coming up with word-based licenses instead G6QRH five times?
On the driver side, my own experience echoes that of Mr. Dawson in that both Dell and HP's service tags manage to recognize the machine but present an array of choices regarding hardware drivers. How is a user to know which particular version of a network card or sound card one has? Why can't manufacturers code that level of detail into their license tags? Please don't mention HPA (Host Protected Access), a special area of the disk where manufacturers "store" (hide?) drivers and restoration software.
Ubuntu, a free Linux distribution with the look and feel of Windows, will install and recognize most hardware without ever asking for a license or a driver. We need technology that simply works instead of getting in the way.
Src: Are you sure you don’t just want to use Ubuntu? (ZDNet.com)
Earlier this month, Douglas MacMillan wrote a story for BusinessWeek about scammers and the dangers to your online identity. The article featured Shawn Moyer and Nathan Hamiel and their successful scam: convincing fellow LinkedIn users (many of which are security professionals themselves) that they were the real Marcus Ranum (CSO of Tenable Network Security).
By chance, I happen to see the article on Twitter and leave a comment. The comment got picked up and I was asked by BW to provide a photo and give my blessings to be featured on the front page.
Many thanks to Stiennon's Twitts, the Security Bloggers Network and the Security Twits group for all of the positive attention.
Direct link to the BusinessWeek story (photo of front page area below)
BusinessWeek front page
Personally, I would like to see more being done by the web-based email providers to validate users' identities and protect the ever-increasing value of information being stored in email accounts.
Gmail Security Flaw Proof of Concept
Who will make the list next?
Src: Microsoft is 5th most spam-friendly ISP (ZDNet.com)
This article exposes a salient truth about the academic sector. In the past two weeks, I have come across two instances where academia has appeared clueless when it comes to data security and privacy. One is contained in the article below ("what's a CPO?"), the second was posted on the social networking site Twitter by a frustrated security professional who was dumb-founded to have to explain the term "penetration test" to a group of Computer Science PhDs.
Src: A Wealth of Data, and Nobody in Charge (Chronicle.com)
- Backtrack 3
- Helix 2.0
- Samurai Linux
SunTzuData, the company behind the SUMO Linux distro was founded by Marcus Carey. Marcus used to work for Computer Sciences Corp. (CSC) and was assigned to the DC3's Defense Cyber Crime Investigations Training Academy (DCITA) as a Researcher and Instructor.
Cyberscams Befriend Social Networks (BusinessWeek)
Use NoScript to force websites to SSL (Security4all)
And Now the Manchurian Microchip (Dily Artisan)
This is good news for security professionals in the consulting realm. However, for those already employed by UK companies suddenly facing this law, their headaches just got a long stronger.
Businesses could be fined 10% of revenues for data protection breaches (Information Age)
The security threats have "more to do with human error and the usability of advanced authentication systems than any technical security problem." -- AlZomai (Web banking risk down to human error)
"Human error has become the biggest security concern for IT directors." -- Research report from Secure Computing (VUNet)
Unlock iPhone 3G, Sim Card Chip, Gevey Sim For Unlock iPhone 3G
We need a shift in the way we think about data, starting from the decision of what to collect, how things are presented (Human-Computer Interface), and how things are stored/communicated/processed. Until we do, these kinds of accidental data leaks will continue to occur due to human error or, in this case, erroneous assumptions.
Src: Student data slip out via Google Maps (The Daily Yomiuri)
It is crystal clear that web application programmers are writing a LOT of bad code and their bosses are either ignorant of the problem or negligent in exercising their management authority. -- Alan Paller, Director of Research, SANS Institute - @RISK: The Consensus Security Vulnerability Alert
This paper introduces a new method that enables an attacker to change the .NET language. The paper covers various ways to develop rootkits for the .NET framework, so that every EXE/DLL that runs on a modified Framework will behave differently than what it's supposed to do. Code reviews will not detect backdoors installed inside the Framework since the payload is not in the code itself, but rather it is inside the Framework implementation. Writing Framework rootkits will enable the attacker to install a reverse shell inside the framework, to steal valuable information, to fixate encryption keys, disable security checks and to perform other nasty things as described in this paper. SANS Institute Reading Room - .NET Framework Rootkits: Backdoors inside your Framework
Technological systems, especially newer ones, are exceedingly complex—and complexity is the worst enemy of security. -- Bruce Schneier in Securing Your PC and Your Privacy (EarthWeb.com)
As reported on a Belgian Security Blogger's site, a mirror on a bathroom sported the message (modified to reflect that security and safety are translated in the same word in Dutch, one of the official languages in Belgium). Src: http://www.remes-it.be/node/36
Also: RaDaJo (RAul, DAvid and JOrge) Security Blog: WPA/TKIP ChopChop Attack
As Google itself acknowledged, IP address data is sometimes private and sometimes not. Hustinx basically seeks to remove any confusion on the part of the EU DPAs so that if the DPAs can't clearly determine if sometimes the data is private and sometimes not, it should be considered to be private and protected as such.
Hustinx: nameless data can still be personal OUT-LAW.COM
That's the best way to secure customer data, not to have it. The way to make it work is to make companies liable to exposed customer data, to give them the economic problem of owning my data. They are the only entity that can protect it, yet when the data is lost, they don't feel the pain - I do. -- Bruce SchneierSrc: CIO Insight - Know It All - Bruce Schneier - Schneier on Privacy (and the Lack Thereof)
...the signature and patch-centric approach to protecting desktops isn't dealing with the new, targeted threats that aim at the user, not unpatched PCs. -- John Pescatore, NewsBites co-editor, in SANS NewsBites Vol 10 Issue 87
People make mistakes that cause harm to others. The challenge is how we educate and reinforce in people to do what is correct. I have said for years there needs to be a law entitled U.S. Code Title 18 "Stupid". In my former life, I would have had a lot more convictions. However, I am not sure what the consequences should be for stupid. -- Ron Dick, NewsBites co-editor, in SANS NewsBites Vol 10 Issue 87
Election Hoax Sent Via D.C. Based E-Campaign Group - Security Fix
Malware has increased in complexity and capability; the Sinowal trojan used in this attack can show the user a fake login page, luring the user to provide valid credentials which are then transmitted by the malware to a server in a remote location/country.
A Huge Cache of Stolen Financial Data - Bits Blog - NYTimes.com
Black market for zero day vulnerabilities still thriving Zero Day ZDNet.com
Will the future be more secure? It'll be just as insecure as it possibly can, while still continuing to function. Just like it is today.
There is no reason why missing boot files would have taken days to repair if the company had implemented appropriate incident response and business continuity plans. In my own home environment, I can be back up and running in less than 10 minutes should my entire operating system get trashed. Why can't a company do the same?
Former sysadmin sentenced for wrecking corporate servers